CredRaptor Threatens the Virtual Security of Victims It Attacks

CredRaptor is not an infection anyone would want to find on their operating system. Obviously, none of us want to find any kind of malware at all, but we especially do not want to find malware capable of stealing passwords. Unfortunately, if passwords are successfully stolen, they can be used to take over accounts, impersonate victims, use their reputable names to spread malware or extract information, as well as perform theft of money and confidential data. Of course, this infection is most likely to be used in cyber-espionage attacks targeted at governments and large companies. That is because this malware was created by the infamous TeleBots hacking group that is also known by the name Sandworm.

Before we start analyzing CredRaptor, it is important to understand who created this stealthy info-stealer. The TeleBots hacking group has been active for quite some time now, and WIRED researchers are linking it to the Russian military agency, GRU. According to them, this group has been linked to the first-ever malware-related blackout, when power was shut off for 225,000 Ukrainians in 2015. TeleBots hackers also stand behind NotPetya Ransomware that caused damage worth of $10 billion. They also interfered with the 2016 US elections and the 2017 France elections, as well as almost destroyed the 2018 Winter Olympics opening ceremony using Olympic Destroyer. Needless to say, the TeleBots hacking group is very aggressive, and, at this point, there is no one that can match its activity, success, and threat.

The arsenal of malware that TeleBots hackers are using keeps growing, and now is time to meet the malicious CredRaptor. According to ESET researchers, so far, this info-stealer has only been observed working with the Exaramel Backdoor, which has been active since 2018 and is believed to be a new variant of Industroyer Backdoor. Of course, different combinations of threats could be employed in the future. The bottom line is that hackers have found a tool that can help them leak highly confidential information. This malware can record Microsoft Outlook passwords and Windows Vault passwords. Also, it records the passwords from various FTP clients, including BitKinex FTP, BulletProof FTP Client, Classic FTP, CoffeeCup, Core FTP, Cryer WebSitePublisher, CuteFTP, FAR Manager, FileZilla, FlashFXP, Frigate3, FTP Commander, FTP Explorer, FTP Navigator, SmartFTP, SoftX FTP Client, Total Commander, TurboFTP, WinSCP, and WS_FTP Client. Finally, it can record the passwords stored on Google Chrome, Internet Explorer, Mozilla Firefox, and Opera web browsers.

Even if CredRaptor was unleashed to attack individual users, serious damage could be made because stolen passwords and login credentials can be sold online. They also can be used to impersonate victims, which might allow the attackers to steal money, spread malware, and, of course, gain access to vulnerable accounts or systems. Needless to say, CredRaptor can do much greater damage if it allows hackers to access government-level accounts. Using such access, they could again try to tamper with elections, cause electric grid blackouts, or even try to pit different governments against one another, which might have been the intention behind the 2018 Winter Olympics hacking. Luckily, it was soon discovered that North Korea had nothing to do with the hacks in Pyeongchang, South Korea.

If CredRaptor invades an operating system, it is most likely to do that with the help of a malicious backdoor, and you are likely to find other threats running along with it as well. Without a doubt, cyber attackers know the tricks and the backdoors that can help them drop this kind of malware without notice, which is why it is important that you take care of your operating system and, at the same time, your own virtual security. First and foremost, it is crucial to update the operating system and the installed applications. Outdated systems are the vulnerable ones because backdoors are exposed and can be exploited. It is also important to implement security systems that can be trusted. Opening spam emails, downloading files from unreliable websites, and clicking strange links should not be done either. If all of this is taken care of, hopefully, the removal of CredRaptor will not even be an issue.

References

BBC. January 11, 2017. Ukraine power cut was cyber-attack. BBC.
Cherepanov, A. and Lipovsky, R. October 11, 2018. New TeleBots backdoor: First evidence linking Industroyer to NotPetya. ESET.
Greenberg, A. November 15, 2019. Here's the Evidence That Links Russia’s Most Brazen Cyberattacks. WIRED.