A nameless malware resulted in a huge data heist of files, credentials, cookies and more that researchers found collected into a cloud database.
Researchers have uncovered a 1.2-terabyte database of stolen data, lifted from 3.2 million Windows-based computers over the course of two years by an unknown, custom malware. The heisted info includes 6.6 million files and 26 million credentials, and 2 billion web login cookies – with 400 million of the latter still valid at the time of the database’s discovery.
According to researchers at NordLocker, the culprit is a stealthy, unnamed malware that spread via trojanized Adobe Photoshop versions, pirated games and Windows cracking tools, between 2018 and 2020. It’s unlikely that the operators had any depth of skill to pull off their data-harvesting campaign, they added.
“The truth is, anyone can get their hands on custom malware. It’s cheap, customizable, and can be found all over the web,” the firm said in a Wednesday posting. “Dark Web ads for these viruses uncover even more truth about this market. For instance, anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom does mean custom – advertisers promise that they can build a virus to attack virtually any app the buyer needs.”
The 26 million login credentials held 1.1 million unique email addresses, NordLocker found, for an array of different apps and services. These included logins for social media, online marketplaces, job-search sites, gaming sites, financial services, email and more.
A hacker group revealed the database location accidentally, according to NordLocker. The cloud provider hosting the data was notified so the database can be taken down, and Troy Hunt has added the compromised email addresses to his HaveIBeenPwned repository, so people can check to see if they’ve been impacted by the malware.
“This incident has been flagged as “sensitive” so it’s not publicly searchable,” Hunt explained. “For individuals, verifying your email address by the notification service will show if it was in this data set. For organizations, the domain search feature will allow you to search across the breadth of any domains you can verify control of.”
Millions of Stolen Files
On the file front, NordLocker found that the malware squirreled away 6 million files, lifted from the Desktop and Downloads folders. The booty included 3 million text files, more than 1 million image files and 600,000+ Word and .PDF files, along with random other file types.
“Over 50 percent of the stolen files were text files,” according to the analysis. “It’s likely that a lot of this collection contains software logs. It is also concerning that some people even use Notepad to keep their passwords, personal notes, and other sensitive information.”
The malware also stole 696,000 .PNG and 224,000 .JPG image files; and, it made a screenshot after it infected the computer and also took a picture using the device’s webcam.
How to Stay Safe from Custom Malware
Unfortunately, custom malware is difficult to fight once a device is infected, NordLocker researchers said, because as a novel threat, antivirus can’t recognize it. So, prevention is the best approach.
They recommended the following best practices:
- Web browsers are not good at protecting sensitive data. Use password managers to protect your credentials and auto-fill information.
- Malware can’t access encrypted files.
- Some cookies are valid for 90 days, and some don’t expire for an entire year. Make deleting cookies a monthly habit.
- Peer-to-peer networks are often used for spreading malware. Only download software from the developer’s website and other well-known sources.
- All malware gets recognized eventually. Make sure that your antivirus is always updated to prevent old viruses from slipping through the cracks.