Security researchers have found a method to collect vast amounts of stolen user credentials by executing searches on VirusTotal, the online service used to analyze suspicious files and URLs.
With a €600 (around $679) VirusTotal license and a few tools, the SafeBreach research team collected more than a million credentials using this technique. The goal was to identify the data a criminal could gather with a license for VirusTotal, which is owned by Google and provides a free service that can be used to upload and check suspicious files and links using several antivirus engines.
A licensed user on VirusTotal can query the service's dataset with a combination of queries for file type, file name, submitted data, country, and file content, among others. The SafeBreach team created the idea of "VirusTotal hacking" based on the method of "Google hacking," which criminals use to look for vulnerable websites, Internet of Things devices, Web shells, and sensitive data leaks.
Many information stealers collect credentials from different forums, mail accounts, browsers, and other sources, and write them to a fixed hard-coded file name — for example, "all_credentials.txt" — then exfiltrate this file from the victim's device to the attackers' command-and-control server. Using this method, researchers took VirusTotal tools and APIs such as search, VirusTotal Graph, and Retrohunt, and used them to find files containing stolen data.
"It is quite a straightforward technique, which doesn't require strong understanding in malware," says Tomer Bar, director of security research at SafeBreach. "All you need is to choose one of the most common info stealers and read about it online."
The researchers conducted their research using known malware including RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye as well as known forums such as DrDark and Snatch_Cloud to steal sensitive data. They found their method works at scale.
RedLine Stealer is a form of malware sold on underground forums via a stand-alone purchase or subscription. It uses browsers to collect data such as saved credentials, autocomplete data, and credit card details. When it runs on a target machine, the malware takes a system inventory that includes information such as username, location data, hardware configuration, and the details of security software. RedLine Stealer can upload and download files and execute commands.
To start, the researchers used VirusTotal Query to search for binaries identified by at least one antivirus engine as RedLine — which returned 800 results. They also searched for files named DomainDetects.txt, which is one of the file names the malware exfiltrates. This returned hundreds of exfiltrated files.
They then turned to VirusTotal Graph, which allows licensed VirusTotal users to visually explore the dataset. There, the researchers found a file from their search results was also included in a RAR file containing exfiltrated data belonging to 500 victims — including 22,715 passwords to many different websites. Additional results included even larger files, containing more passwords. Some were for government-related URLs, the researchers noted.
The researchers' process for using each of these tools is detailed in a writeup of their findings.
The "Perfect" Cybercrime
While there are plenty of info stealers to choose from, the researchers chose five commonly used ones because of their greater odds of finding files exfiltrated by them in the VirusTotal dataset.
The SafeBreach team learned and improved its queries as it explored VirusTotal, Bar says. For example, they found some attackers compress victims' data in a large archive file. VirusTotal provides a way to search for archive files containing fixed hard-coded file names, so when they found a single file, they also found stolen data belonging to hundreds of victims, he explains.
"A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach," researchers wrote in their blog post. "We called it the perfect cyber crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity."
The researchers reached out to Google with their findings and requested the files containing personal data from VirusTotal. They also advised periodically searching for, and removing, files with sensitive user data and banning API keys that upload those files.
SafeBreach also advised Google to add an algorithm that disallows uploading of files with sensitive data that contains plaintext, or encrypted files with the decryption password attached, in text or an image.