14 DAY TRIAL // According to an investigation by Fortinet researchers, the crook behind the recently updated Cyperine infostealer malware is the same man who came up with the "Next Man History Stealer" infostealer, off which he stands to make over $50,000 based on the credentials he managed to steal.
The company's investigation started in mid-June, when its researchers spotted a new version (v2.0) of the Cyperine infostealer that had been around since December 2014.
This latest version of this infostealer is sold as a malware builder on underground hacking forums and has the capability to steal Steam logins (SSFN files), product keys from various Windows apps, and user logins from browsers such as Chrome and Firefox.
A $35 investment can lead to serious profits
The crook was renting this tool for $5 per week as a limited trial but was also selling it for $35 lifetime licenses. Besides renting it, the crook was also using it for himself, infecting victims, stealing their passwords and selling account credentials online to make profit on the side.
Based on the ads seen by Fortinet, the crook was selling uPlay accounts for $5 apiece, Netflix and Spotify credentials for $1, Uber logins for $2, and SurfEasy accounts for $3.
While analyzing the Cyperine malware builder, researchers were able to discover that the binary was compiled and signed by "DESKTOP-DIEEPURMatthew."
Cyperine has ties with Next Man History Stealer
This very same string was also encountered in a new malware family that appeared around a week after Cyperine 2.0. This was the "Next Man History Stealer" (NMHS), another infostealer, also capable of collecting user credentials and sending them back to the crook.
The difference between Cyperine and NMHS is that Cyperine sends stolen data to the attacker via SMTP (email) while NMHS sends the data to a remote server folder via FTP.
For both infostealers, Fortinet researchers were able to access the email address and FTP server where the data was stolen. While the Cyperine email address did not hold too much activity, they did find over 50,000 accounts in the FTP folder.
Fortinet discovers 40,000 compromised Rogers TV accounts
Most of these accounts, around 40,000, were from Rogers TV, a Canadian television group. Researchers also found nearly 8-9,000 compromised Netflix accounts. Based on their market value, the crook stands to make around $50,000 just by selling these credentials.
Fortinet could not determine if the credentials were stolen by the NMHS author or by someone else who rented the tool. The company reported the FTP account to the hosting company, who suspended it and reported the infraction to law enforcement.
This comes to show the commoditization of malware. Just by renting an ordinary infostealer, a less technically skilled crook can make a huge amount of money if they manage to infect enough users.
