A nameless malware strain stole 1.2TB of personal information, including 26 million login credentials.
A trojᴀɴ virᴜs thᴀᴛ ɪɴfected ᴍɪʟʟɪᴏɴs ᴏꜰ PCs ᴀɴd sᴛᴏle 1.2 teraʙʏtes ᴏꜰ persᴏɴal ɪɴꜰᴏʀmᴀᴛiᴏɴ wᴀs ʟᴀʀɢᴇly spʀᴇᴀᴅ ᴛʜʀᴏᴜɢʜ ilʟᴇɢal sᴏꜰtwᴀʀᴇ, ɪɴcludɪɴg pirᴀᴛed ɢᴀᴍᴇs ᴀɴd a cracked versiᴏɴ ᴏꜰ Aᴅᴏʙᴇ Pʜᴏᴛosʜᴏᴘ, securɪᴛy resᴇᴀʀcʜᴇrs ꜰʀᴏᴍ NᴏʀdLocker sᴀɪᴅ. Insɪᴅᴇ tʜᴇ treᴀsᴜʀᴇ trove ᴏꜰ sᴛᴏlen dᴀᴛa ᴡᴇre 1.1 ᴍɪʟʟɪᴏɴ unique email ᴀᴅᴅresses ᴀɴd 26 ᴍɪʟʟɪᴏɴ ʟᴏɢɪɴ cʀᴇᴅentials, ᴀᴍᴏɴɢ otʜᴇr thɪɴgs.
NordLocker says a hacker group accidentally revealed the location of the database containing the stolen data, and once NordLocker was privy, it worked with a third-party company that specializes in researching data breaches to evaluate the database's contents.
What they discovered is that a custom malware strain infiltrated 3.2 million Windows PCs between 2018 and 2020. The database contained 2 billion cookies, of which over 400 million (22%) were still valid.
The database also contained 6 million files plucked from the Desktop and Downloads folders on compromised systems. Around 900,000 image files, over 600,000 Word files, and 3 million text files made up the majority of the stolen contents, though it also included over 1,000 types of other files. That's a lot of data, and to help manage it all, the malware assigned unique device IDs to the data for easier sorting.
"Screenshots made by the malware reveal that it spread via illegal software (Adobe Photoshop), Windows cracking tools, and pirated games. Moreover, the malware also photographed the user if the device had a webcam," NordLocker said.
This particular malware campaign does not have a name, in part because it flew under the radar while active, then presumably disappeared. According to NordLocker, nameless (or custom) trojans like this one are hawked on the dark web in forums and private chats, sometimes for no more than $100.
"Their low profile often helps these viruses stay undetected and their creators unpunished...It's a booming market where the creator sells the malware, teaches the buyer how to use it, and even shows how to profit off the stolen data," NordLocker says.Perfect peripherals
Best gaming mouse: the top rodents for gaming
Best gaming keyboard: your PC's best friend...
Best gaming headset: don't ignore in-game audio
This is a bit of a self-serving report, as NordLocker sells one of the best VPNs for gaming, as well as offers encrypted cloud backups. So it's no surprise that one its recommended courses of action is to try out its private cloud service.
Be that as it may, this did happen, it infected a lot of PCs, and undoubtedly there are other covert malware campaigns out there doing similar things. Of course, avoiding sketchy sites that serve up cracked downloads is always a good idea.
As for this particular campaign, NordLocker reported the open database to US-CERT, and says the 1.1 million unique email addresses have been uploaded to Have I Been Pwned, a nifty resource for checking if any of your accounts have ever been part of a known security breach. The tool is about to get even more useful, as Have I Been Pwned recently teamed up with the FBI for more timely updates, and is going open source too.