Custom trojan stole data from 3 million Windows devices – analysis

Major data leaks have become almost routine news around the globe. Researchers at NordLocker claim to have detected yet another breach with 1.2 TB of information stolen from computers running Windows OS.

Recently published research detailed the scope of the attack carried out employing a Trojan-type malware that infiltrated several millions of computers with the popular Windows OS from 2018 to 2020.

According to the analysis, the malware was transmitted via email and illegal software, including unlicensed copies of Adobe Photoshop 2018, a Windows cracking tool, and several unlicensed video games.

In total, 3.25 million devices were breached, and the malware stole 26 million login credentials, over 1 million unique email addresses, 2 billion cookies, and 6.6 million files, the report claims.

The analysis revealed that the malware made a screenshot after it infected the computer and also took a picture using the device’s webcam.

Key companies

All of this was possible with a nameless trojan that threat actors can buy for as little as $100. Screenshots collected by researchers show that cybercriminals stole data for two years, from 2018 until 2020.

The breach includes credentials from popular social media websites, job search engines, gaming websites, email, financial, and other service providers. NordLocker claims that stolen credentials include ‘emails or usernames accompanied by passwords.’

That includes 1.4 million Facebook credentials, 261,773 Twitter accounts, and 153,754 Instagram accounts. Hackers also stole around 190 thousand Roblox and Steam credentials, over 1.5 million Google email credentials, and data on over 145,000 PayPal accounts.

Threat actors also collected credentials for Amazon, eBay, Apple, AliExpress, Walmart, Dropbox, Discord, Yandex, Uber, and many other renowned service providers.

Webcam pictures

Researchers claim that the malware targeted files users stored on their desktops and in Downloads folders, with the total number of stolen files exceeding 6 million.

Half of the stolen files were text files. It’s likely that those contained software logs. However, since people tend to store their passwords in text file format, some of the stolen files likely included personal data.

Hackers also stole over a million images stored on computers.

“The analysis revealed that the malware made a screenshot after it infected the computer and also took a picture using the device’s webcam,” NordLocker research states.

Researches found that out of 2 billion stolen cookies, 22% were still valid on the day of the discovery. That is particularly concerning as cookies allow hackers to construct an accurate picture of user habits and interests. Cybercriminals can use this information to target persons of interest later on.

Most cookies were stolen from YouTube, with over 17 million stolen in total. NordLocker claims that hackers can use these to access user location, site preferences, and search history, providing ground for later extortion over content preferences.

Image by

Over 8 million Facebook cookies were also stolen, with additional 5.2 million LinkedIn cookies and 5.1 million Twitter cookies. That might lead to victims and their online friends receiving spam messages.

The breach includes 4.8 million cookies from AliExpress, 3.5 million from Amazon, and 2.6 million from Walmart websites. Hackers can use this information to highjack a shopping session or break into an account where users might store data such as home address and credit card details.

Two million Steam, 1.3 million Roblox, and 1.1 Wargaming cookies were also stolen during the attack. Online gaming cookies collect geolocation data and time played. Threat actors can use that information in an attempt to overtake an account and sell valuables.

Browsers targeted

The database of stolen data contains information from 48 applications, primarily web browsers. The researchers claim that cookies, credentials, autofill data, and payment information were present. The malware also targeted messaging apps and email clients.

Over 19 million usernames and passwords were stolen from Google Chrome, over 3.2 million via Mozilla FireFox, and 2 million from Opera browser. Hackers also stole over a million credentials from Internet Explorer and Chromium browsers.

How to stay safe?

There are many ways to protect against similar threats. Installing an antivirus software would be a good start. Users also are advised to use strong passwords or password managers, avoid shady links online, and download software only from trusted sources.

Using a VPN service to reduce online visibility would also contribute to a safer online experience, as would multi-factor authentication, complicating hackers’ ability to log in to victims’ accounts even with stolen credentials.

What to do if your password was leaked?

If you suspect that one or more of your passwords may have been leaked, we recommend taking the following steps in order to secure your data and avoid potential harm from threat actors:

  • Use our personal data leak checker and leaked password checker to see if your data has been leaked in this or other breaches.
  • If your data has been compromised, make sure to change your passwords across your online accounts. You can easily generate complex passwords with our strong password generator or consider using a password manager.
  • Enable two-factor authentication (2FA) on all of your online accounts.
  • Watch out for incoming spam emails, unsolicited texts, and phishing messages. Don’t click on anything that seems suspicious, including emails and texts from senders you don’t recognize.

More from CyberNews:

Privacy expert: most enterprises don’t know where their sensitive data is

New ransomware group Hive leaks Altus group sample files

Epsilon Red – our research reveals more than 3.5 thousand servers are still vulnerable

Multiple US energy firms attacked with ransomware in the past 12 months – report

Purchase with caution: scammers on the prowl for e-shoppers

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked