The campaign progressed in four waves, starting in February and ending in September, with the operators relying on specially-crafted phishing pages and lure documents laced with malicious macros to download Vidar and Raccoon information stealers onto victim systems.
The ultimate goal of the attack, the researchers noted, was to steal payment and user data via several attack vectors and tools to deliver the malware.
The fake web pages were created using the Mephistophilus phishing kit, which allows attackers to create and deploy phishing landing pages engineered for distributing malware.
"Attackers sent links to fake pages that informed victims about a missing plugin required to display the document correctly," Group-IB researchers explained in an analysis of the cybercrime group's tactics last November. "If a user downloaded the plugin, their computer was infected with the password-stealing malware."
While the first wave of the campaign in February and March delivered the Vidar password stealer to intercept passwords from user browsers and various applications, subsequent iterations switched to the Raccoon stealer and AveMaria RAT to meet its objectives.
Raccoon, first documented by Cybereason last year, comes with a wide range of capabilities and communicates with a command-and-control (C2) server to siphon data — including screenshots, credit card information, cryptocurrency wallets, stored browser passwords, emails, and system details.
Raccoon is also unique in that it bypasses the blocking of active C2 servers by making a request to a Telegram channel ("blintick") in order to receive the encrypted address of the C2 server, besides offering 24×7 customer support to community questions and comments through the chat service.
AveMaria RAT, likewise, is capable of ensuring persistence, recording keystrokes, injecting malicious code, and exfiltrating sensitive files, among others.
Both Vidar and Raccoon are sold as malware-as-a-service (MaaS) on underground forums. The rental price for Vidar stealer ranges from $250 to $300 per month, whereas the latter costs $200 a month to use.
Along with the four stages described above, Group-IB also observed an interim phase between May to September 2020, during when as many as 20 online stores were infected with a modified JS-sniffer of the FakeSecurity family.
Interestingly, the infrastructure used to distribute the Vidar and Raccoon stealers shared similarities with those used to store the sniffer code and collect stolen bank card data, leading the researchers to link the two campaigns.
The development is yet another sign that adversaries are stepping up their efforts to compromise online marketplaces to pilfer customer payment information, even as law enforcement agencies are working to tackle cybercrime.
Earlier this January, the Interpol, acting on digital forensic evidence from Group-IB, nabbed three individuals associated with a group called "GetBilling" as part of an operation codenamed Night Fury for running a JS-sniffer campaign in Indonesia.