Nameless malware that stole 1.2 TB of private data
Between 2018 and 2020, a custom Trojan-type malware infiltrated over 3 million Windows-based computers and stole 1.2 terabytes (TB) of personal information. This malware case study was performed in partnership with a third-party company specializing in data breach analysis.
Details about malware
This is a Trojan-type malware that was transmitted via email and illegal software. The software includes illegal Adobe Photoshop 2018, a Windows cracking tool, and several cracked games.
The data was collected from 3.25 million computers. The malware stole nearly 26 million login credentials holding 1.1 million unique email addresses, 2 billion+ cookies, and 6.6 million files.
Nameless, or custom, trojans such as this are widely available online for as little as $100. Their low profile often helps these viruses stay undetected and their creators unpunished.
Screenshots made by the malware reveal that the data was stolen between 2018 and 2020.
The virus assigned unique device IDs to the stolen data, so it can be sorted by the source device.
Methodology: The discovered data was divided into four broad categories to analyze the stolen login credentials, files, cookies as well as the software that the data was extracted from.
Credentials
The malware got away with nearly 26 million login credentials (emails or usernames accompanied by passwords) from almost a million websites. The data was categorized into 12 different groups based on the website type.
Files
The research found that this malware also targeted files that users were storing on their desktops and in Downloads folders. In total, over 6 million files were stolen.
What kinds of files were stolen?
Over 50% of the stolen files were text files. It’s likely that a lot of this collection contains software logs. It is also concerning that some people even use Notepad to keep their passwords, personal notes, and other sensitive information.
The malware stole over 1 million images including 696,000 .png and 224,000 .jpg files. The database also contains over 650,000 Word documents and .pdf files.
The analysis revealed that the malware made a screenshot after it infected the computer and also took a picture using the device’s webcam.
Protect your files on an end-to-end encrypted cloud
Cookies
It was found that out of the total 2 billion stolen cookies, around 22% were still valid on the day of the discovery. Cookies help hackers construct an accurate picture of the habits and interests of their target. In some cases, cookies can even give access to the person’s online accounts. The stolen cookies are sorted into five groups based on the website category.
Online marketplace cookies
Online shopping cookies are used to store shopping cart data while the user browses a shop. However, they can be used to hijack a shopper’s session to break into their account where their home address and credit card details might be stored.
Online gaming cookies
Online gaming cookies collect geolocation data, time played, user’s contacts, and more. With stolen gaming cookies, hackers can take over accounts, sell valuables, or use the information to launch a more targeted attack.
File sharing site cookies
Cookies from file sharing sites like Dropbox, Slideshare, and MediaFire hold file IDs and can let hackers into the user's cloud storage if the service is not end-to-end encrypted.
Social media cookies
Social media cookies can give hackers access to people’s personal and business accounts. Hackers would then use those stolen identities to send spam messages to the victim’s friends and clients.
Video streaming services
Hackers can use video streaming cookies to access one’s location, site preferences, and search history. These cookies could even provide grounds for extortion if the data revealed that the person had been watching inappropriate content during work hours.
Online marketplace cookies
Online shopping cookies are used to store shopping cart data while the user browses a shop. However, they can be used to hijack a shopper’s session to break into their account where their home address and credit card details might be stored.
Online gaming cookies
Online gaming cookies collect geolocation data, time played, user’s contacts, and more. With stolen gaming cookies, hackers can take over accounts, sell valuables, or use the information to launch a more targeted attack.
File sharing site cookies
Cookies from file sharing sites like Dropbox, Slideshare, and MediaFire hold file IDs and can let hackers into the user's cloud storage if the service is not end-to-end encrypted.
Social media cookies
Social media cookies can give hackers access to people’s personal and business accounts. Hackers would then use those stolen identities to send spam messages to the victim’s friends and clients.
Video streaming services
Hackers can use video streaming cookies to access one’s location, site preferences, and search history. These cookies could even provide grounds for extortion if the data revealed that the person had been watching inappropriate content during work hours.
Software data
The database contains cookies, credentials, autofill data, and payment information from 48 applications. The research shows that the malware targeted apps, mostly web browsers, to steal the vast majority of data. The malware also stole data from messaging apps, email clients, file-sharing clients, and some gaming clients.
Keep your files secure with NordLocker
What is malware?
Malware are tiny, malicious programs that can be attached to an email or installed with illegal software. Some malware infects the person's device immediately, while others may wait for days or even weeks. Every type of malware has its purpose: viruses harm the target device, ransomware encrypts it to extort the owner, and backdoors create a way for hackers to access that device at any time.
For every malware that gets worldwide recognition and coverage, there are thousands of custom viruses made specifically for the buyer's needs. These are nameless pieces of malicious code that are compiled and sold on forums and private chats for as little as $100. It’s a booming market where the creator sells the malware, teaches the buyer how to use it, and even shows how to profit off the stolen data.
How to protect your data from malware
Install an antivirus software
Despite some limitations when it comes to new types of malware, antivirus software is still one of the most reliable tools protecting your system. That’s why it’s imperative to keep security software and antivirus databases up-to-date.
Practice proper cyber hygiene
Good cyber hygiene mostly means evaluating digital risks and taking appropriate steps to protect yourself. For example, if the link seems shady, don’t click on it even if it came from someone you know.
Use strong passwords
Password managers help you create strong and unique passwords. They are also much better than web browsers at storing your private data.
Download software from trusted sources
Illegal programs are often used to distribute malware. Make sure to only use legal software that you acquired from the creator’s website, the App Store, etc. and other trusted sources.
Block third-party cookies
Technology companies want to track people’s digital lives. Use private browsers that prevent this kind of data collection.
Regularly clean cookies
Even old cookies can reveal a great deal about your life. Delete cookies from your browsers often.
Encrypt your data
While you can never fully know whether your device is malware-free, encryption can keep you and your files safe. Even if hackers stole your files, they wouldn’t be able to access them without your master password.
Store files on an encrypted cloud
In many cases, an end-to-end encrypted cloud is the ultimate security tool. It protects your files from all kinds of malware and backs up your data in case your system is infected with ransomware.
Use multi-factor authentication
Use multi-factor authentication or single sign-on where possible for an extra layer of online protection.
Note: The NordLocker malware study has been carried out for educational purposes only. The open database was reported to US-CERT and the cloud storage provider, which has taken it down. 1.1 million unique email addresses were loaded to Have I Been Pwned, where every user can check whether they’ve been affected by this particular malware.