Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware

By Darren James - Senior Product Manager Outpost24 [ Join Cybersecurity Insiders ]

Password stealing malware is again rising with several attacks making the news cycle in recent months. For instance, a new password-stealing malware named Ov3r_Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis into password-stealing malware has also revealed that one malware, in particular, is responsible for around 170 million passwords stolen in the last six months: Redline malware.

Research shows that Redline malware obtained 170 million stolen credentials in the past six months, cementing it as a favorite among the hacking community. Still, there were other password-stealing malware variants available on the market for hackers to leverage, with the next three most popular credential-stealing malware being Vidar, Raccoon Stealer and Meta.

The stolen credentials extracted by this type of malware will be sold on the dark web and used to steal information and money from victims, especially if they are using the same passwords for other accounts. Password reuse is a problem that persists in the business world and if employees are reusing work passwords on sites or devices vulnerable to malware, this could lead to compromised passwords being used and eventually exploited by hackers on a large scale.

Deeper analysis of password-stealing malware

Further insight into the top three password-stealing malware has been conducted to arm security professionals and businesses with the relevant knowledge to stay safe against latest threats against them, their users, and their users’ passwords.

Malware Number 1 – RedLine

The RedLine malware was first identified in March 2020 and surged in notoriety as a highly sought-after information stealer. Its primary objective revolves around the extraction of various personal data, including credentials, cryptocurrency wallets, and financial information. The information is then funneled into the malware’s command and control (C2) infrastructure.  A notable attribute associated with the RedLine malware is that it is often bundled together with cryptocurrency miners whose prime targets are users with powerful GPUs i.e. gamers.

Phishing is the main method for the distribution of RedLine malware with cybercriminals typically exploiting global events like the COVID-19 pandemic to entice victims to click on a malicious link to unknowingly download the malware. Since 2021, YouTube has been a go-to location to disseminate malware by embedding malicious links in the description of videos which are often promoting gaming cheats and cracks.

Malware Number 2 – Vidar

The Vidar malware is an evolution of the infamous Arkei Stealer, which employs sophisticated tactics to target specific regions based on language preferences, whitelisting certain countries for further infection. It initializes key strings and generates a Mutex for operation. Hackers have access to two distinct C2 versions: the paid Vidar Pro and the underground distributed Anti-Vidar associated with cracked versions.

In 2022, Vidar was identified in phishing campaigns, often disguised within Microsoft Compiled HTML Help (CHM) files. Moreover, distribution expanded through PPI malware service PrivateLoader, the Fallout Exploit Kit, and the Colibri loader. By late 2023, Vidar was also being propagated through the GHOSTPULSE malware loader.

Malware Number 3 – Raccoon Stealer

First located on Russian-language forum Exploit in 2019, the Raccoon Stealer malware operates under a ‘malware-as-a-service’ model, enabling clients to rent it monthly. It’s advertised with the slogan “We steal, You deal!” Raccoon stealer found its niche primarily within Russian-speaking underground forums such as Exploit and WWH-Club. Expanding its reach, the threat actor began offering it on the English-language platform, Hack Forums, towards the end of 2019.

Those selling Raccoon Stealer have even been known to market the malware with “test weeks,” giving hackers the opportunity to sample the product before committing to its use.

Issue of stolen credentials and password reuse

In the realm of cybercrime, stolen credentials are highly coveted assets. While some threat actors employ them directly for further attacks, many opt to sell them in bulk on the dark web for financial gain. The dark web, accessible only through specialized software like the Tor browser and VPN services, offers the trade of private data. This makes it a perilous space where end users’ credentials may be traded among Initial Access Brokers (IABs), posing a significant risk to organizations.

Due to the clandestine nature of the dark web and the challenges in detecting compromised credentials, organizations often struggle to ascertain if their users’ credentials have been compromised. Password reuse presents a major vulnerability, as even strong passwords can be compromised if reused on unsecure platforms. Without effective threat intelligence or scanning tools, organizations face difficulty in identifying compromised passwords listed for sale online.

The effectiveness of password-stealing malware such as RedLine cannot be overstated, but many organizations will not have protections in place to defend against these malware threats. The issue boils down to password reuse. Continuous scanning of Active Directory for compromised passwords known to be circulating on the dark web is essential to mitigate such risks, because human behavior, including password reuse proves to be the most pervasive challenge.

All the protections and security protocols in place will unravel if employees are reusing work passwords on insecure endpoints and applications, putting the wider company squarely in the crosshairs of hackers. This analysis has detailed the tools available to steal passwords, which only compounds the overall challenge considering that 91% of users understand the risk of password reuse, yet 61% continue the practice, according to research from LastPass.


Ultimately, organizations need adequate password policies and protections to ensure compromised passwords are not in circulation. This can be achieved by continuously scanning the Active Directory, and there are free password auditing tools available to jumpstart the process.  Combined, threat intelligence and password protection are essential to stay ahead of the latest threats stemming from known breached passwords.


No posts to display