VirusTotal, the popular online service for analyzing suspicious files, URLs and IP addresses, can be used to collect credentials stolen by malware, researchers at SafeBreach have found.
In fact, with a €600 VirusTotal license, they have managed to collect more than 1,000,000 credentials just by executing simple searches with a few tools.
The source of the compromised credentials
The credentials are contained in files that common info-stealers and keyloggers use to exfiltrate them from infected machines.
These files can end up hosted on VirusTotal due to hackers using VirusTotal to promote selling victims’ data or due to attackers uploading them by mistake, Tomer Bar, Director of Security Research at SafeBreach, told Help Net Security.
They may also be uploaded by third parties (e.g., a security researcher or the company where the C2 server is hosted) who are unaware they contain sensitive information. Finally, some environments are configured to automatically upload files to VirusTotal to verify whether they are “clean”.
Finding the files with stolen credentials
Just like Google Search can be used to search for vulnerable websites/systems, IoT devices, and sensitive data (the method is known as Google hacking or dorking), VirusTotal’s APIs and tools (VT Graph, Retrohunt, etc.) can be used to find files containing stolen data.
To prove it, the researchers compiled a list of those files’ names, acquired a monthly VirusTotal license that allowed them to do searches, explore VirusTotal’s dataset, and perform malware hunts – and started searching for them.
It didn’t take long to find some. Depending on the malware, these files contain credentials for email and social media accounts, e-commerce sites, online payment services, gaming platforms, online government services, streaming platforms, online banking accounts, and private keys of cryptocurrency wallets.
They’ve also connected some of these files to specific sellers of stolen credentials on a variety of hacking forums and Telegram groups, and have shown that in some cases it may be easy for criminals to discover credentials for accessing malware’s C2 FTP server and use them to “collect” stolen credentials.
“Our goal was to identify the data a criminal could gather with a VirusTotal license,” Bar noted, and said that they have proven this method – dubbed “VirusTotal Hacking” – works at scale.
“A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cyber crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity. After victims are hacked by the original hacker, most have little visibility into what sensitive information is uploaded and stored in VirusTotal and other forums.”
The researchers urged Google – the owner of VirusTotal via its subsidiary Chronicle – to periodically search and remove files with sensitive user data and ban API keys that upload those files, and to add an algorithm that disallows uploads of files that contain sensitive cleartext data or encrypted files with the decryption password attached (either as text or included in an image).
They also pointed out that malwares’ unsecured C2 communication protocols should be exploited by defenders – in concert with hosting companies – to sinkhole or terminate C2 servers.
As a final side note, stolen credentials are not the only sensitive information that can occasionally be found on VirusTotal:
I've found this on VT pic.twitter.com/U8v4ix1acx
— Florian Roth ⚡️ (@cyb3rops) January 17, 2022