May 1, 2024by Cybersixgill

State of the Underground 2024: Combating RisePro, Lumma, Vidar, and other top stealer malware

Stealer malware, which secretly collects sensitive details from infected systems, has become dramatically more popular among cybercriminals recently. According to IBM’s annual X-Force Threat Intelligence Index report, this form of malware surged in usage by 266% in 2023, part of a larger increase in cyber threats targeting identities.

In our State of the Underground Report 2024, we noted the presence of four new stealers being used in large numbers, but said the incumbents remained popular. In particular, Raccoon remained the most popular stealer with 56% of all stealer listings, despite one of its central administrators being arrested. Since the beginning of the year, that storyline has changed. Now two of the three most popular stealers come from the newcomers – RisePro and Lumma – while Raccoon seems to have faded to the very back of the pack.

That fact reflects the rapidly changing dynamic of cyber threats and points to the need to be aware of the current methods posing the biggest potential danger to your network. Below we briefly describe the three most popular stealers, how they work, and measures you can take to keep such stealers at bay.

What is stealer malware?

A stealer is a category of malware that infiltrates a network and then silently gathers information in the background. It takes such vital data as an individual's personal information, login credentials, credit cards, cryptocurrency wallets, documents, and files, and then transmits it to remote command-and-control servers operated by threat actors. The information gathered can then be packaged and sold on the underground to others to initiate attacks. 

Stealers are relatively simple to create and are commonly distributed through phishing emails, malicious websites, or bundled with other software. Because of their simplicity and their rising popularity, stealers are a significant risk to organizations as well as individuals.

The top three stealers: RisePro, Vidar, and Lumma

Cybersixgill’s latest information – tracking usage from Jan. 1 to April 15, 2024 – shows the three most popular stealers to be newcomers RisePro and Lumma and established player Vidar. Other popular stealers come from Stealc and Redline. Curiously enough, others that were listed in the top five in recent years, such as AZORult, Taurus, Silencer, and Raccoon, have been all but abandoned by cybercriminals.  

Their decline in use, however, doesn’t mean that they are no longer a danger. They could be modified and resurrected. There may also be another newcomer that gains popularity in the coming months. The changing popularity statistics point to the fluid nature of such threats and the need to stay informed as well as on guard.

No. 1 stealer threat: RisePro

First noted in 2023, RisePro is an information-stealing malware that primarily targets Windows platforms. It is typically distributed through downloaders like win.privateloader, fake software cracks, and key generators. 

The specific attacks associated with RisePro include stealing credit card information, stealing passwords, and exfiltrating stolen data in the form of logs.

RisePro has code similarities with the malware distribution platform PrivateLoader, indicating a potential connection between the two.

No. 2 stealer: Lumma

Also first reported in 2023, Lumma is typically sold as a Malware-as-a-Service (MaaS) offering, allowing other threat actors to subscribe to and use the malware for their malicious activities. It typically spreads through phishing, malicious sites, and software downloads. 

The specific attacks associated with Lumma include information stealing, stealing cryptocurrency wallets, targeting two-factor authentication (2FA) browser extensions, and compromising Google accounts. Lumma is also challenging to security teams because it employs obfuscation and anti-analysis techniques to evade detection by security solutions. 

No. 3 stealer: Vidar 

One of the enduring established stealers, Vidar primarily targets Windows systems, gaining access through spam emails, malicious attachments, or unintended downloads.

The specific attacks associated with Vidar include keylogging and screen capturing to grab sensitive data as it is entered by the victim, as well as file exfiltration of images, documents, and other data, to be used for identity theft or blackmail.

Vidar is constantly evolving, with new variants and updates being released by cybercriminals. This makes it challenging to detect and mitigate effectively. 

How should you protect your organization against stealers?

Stealers are stealthy, and no one action is likely to prevent them. At a minimum, we recommend taking the following steps:

  1. Use password managers: A specialized password manager application that securely stores and manages passwords is better than relying on a more vulnerable browser to store them.

  2. Install reliable protection: Ensure that you have reliable antivirus and anti-malware software installed throughout your attack surface. Keep this software up to date and run regular scans to detect and remove any potential malware.

  3. Keep software updated: Regularly update your operating system, web browsers, and other software applications, to protect against known vulnerabilities.

  4. Stay informed: Stay informed about the latest malware threats and cybersecurity best practices. Regularly educate yourself on how to identify and protect against different types of malware. Cybersixgill’s platform is particularly effective in this regard, tracking changes daily.

  5. Provide effective employee training: Many of the dangers posed by stealers can be mitigated to some degree by ensuring your company’s workforce is well-informed about how cybercriminals operate and why they need to follow established practices to stay safe. Security awareness across an organization is perhaps more valuable than any single technology in keeping stealers from getting a foothold and potentially causing significant damage.

 To learn more about stealers and other threats, view our on-demand webinar on what we detailed in the State of the Underground Report 2024. To see how Cybersixgill can help your organization stay ahead of the stealer threat, schedule a demonstration

You may also like

A close-up, detailed, and vibrant image of a microscopic cell with numerous tentacle-like extensions, depicted in shades of pink and purple against a blurred blue background.

May 15, 2024

Black Basta's Devastating Attack on a US Hospital System: Lessons Learned and Protective Measures

Read more
Screen showing a malware alert

May 09, 2024

New 'Latrodectus' Malware Linked to Notorious 'IcedID' Developer: A Deep Dive into Targets, Potential Impact, and Remediation Steps

Read more
Chris Strand-Thumbnail

May 07, 2024

Enhancing Security Posture with Cyber Risk Intelligence Part 2

Read more