Stealers on the rise: Kral, AMOS, Vidar and ACR

In 2023, a significant spike in cybercriminal activities involving information stealers was reported, with nearly 10 million devices compromised, leading to the illegal collection of credentials for sale on the dark web or further cyberattacks. Kaspersky Digital Footprint Intelligence presents an analysis of various tools designed for this purpose, highlighting the intricacies and operations of these malicious software programs, often available through subscription models that lure novice hackers.

One prevalent stealer identified is the Kral, which has evolved since its inception. Initially discovered as a downloader for the notorious Aurora stealer, a new variant known as Kral stealer emerged in early 2023. This malware is primarily distributed via malicious ads on adult websites, guiding victims to phishing pages for file downloads. Recent modifications to the Kral downloader, now solely written in C++, have significantly reduced its payload size. The Kral stealer targets sensitive data such as cryptocurrency wallets and browser information, storing it in a system folder before transmitting it to command and control servers using BITS, ensuring data is collected only once per session to evade detection.

Another noteworthy stealer, AMOS, targets macOS users, first identified in early 2023. Its delivery method involves impersonation of the legitimate Homebrew package manager, leading unsuspecting users to download malware through malicious ads. The installation process cleverly disguises the AMOS stealer, leading users to believe they are running a legitimate application. Once executed, it initiates several processes to collect vital system information and attempts to extract macOS user passwords through deceptive prompts rather than keystroke logging.

The Vidar stealer utilizes a unique distribution method through YouTube comments, embedding links to password-protected archives masquerading as legitimate software. It relies on a layered approach, where the legitimate application inadvertently loads malicious code via DLL hijacking. This intricately designed mechanism allows Vidar to ultimately deploy the ACR stealer, which specializes in stealing browser data and cryptocurrency wallets. Vidar’s functionality exemplifies a broader trend among stealers—the use of other malware as exfiltration modules, emphasizing the complexities of modern cyber threats.

The article emphasizes that stealers have become ubiquitous and increasingly popular among cybercriminals due to their effectiveness in targeting and harvesting sensitive data. While these tools primarily aim to extract cryptocurrency-related information, they also pose a significant threat to broader credentials such as corporate network access, which could facilitate devastating ransomware attacks.

To mitigate the risks associated with such malware, the article recommends enhancing cybersecurity practices, including employing two-factor authentication (2FA), creating unique passwords, and downloading software exclusively from reputable sources. It underscores the importance of vigilance—carefully verifying website authenticity before downloading any files to hinder potential attacks.

Kaspersky also offers ongoing insights into the evolving tactics, techniques, and procedures (TTPs) used by criminals, inviting users to contact their crimeware intelligence team for personalized reports and updates. The conclusion reiterates the alarming reach of stealers in cybercrime, emphasizing how they leverage both direct attacks and the sale of stolen data to maximize profit and malicious influence.