MALWARE IMPACTS FOR RETAIL AND FASHION BRANDS

Infostealer malware is created to persist and collect sensitive data from infected devices including personal details, financial information, and login credentials. Malicious attachments and phishing emails are a way for infostealer malware to be deployed, or through fake mobile applications / fake ads on legitimate sites or platforms.

In retail, Infostealer campaigns can mimic retail and fashion brands through name and branding modifications to appear legitimate (similar to phishing), along with creating fake social media accounts to bolster their authenticity. The main webpages offer downloads that, once installed, infect devices. Login credentials remain extremely valuable to threat actors, even more so if pertaining to third-party software-as-a-service applications including Salesforce, or Microsoft Office 365 allowing for lateral movement in systems. Logs listed on dark web marketplaces for sale will include browser cookies, stored passwords from browsers, and website login information.

Infostealers can bypass detection including weak multi-factor authentication, and anti-virus software, remaining undetected on compromised devices long enough to collect the data required for financial gain. This is why ransomware groups use infostealers.

Several high-profile data breaches, including of Ticketmaster, LendingTree, and Santander, appeared for sale on the dark web starting in May 2024. These allegedly stemmed from all victims being customers of the same company, US-based cloud computing provider Snowflake, targeted by threat actors towards its users with single-factor authentication, using credentials stolen from infostealer malware / previous data breaches.

Infostealers can be downloaded onto victim machines, resulting in stealing usernames, passwords, cookie sessions, search history and financial data. Some of the top cyber criminal groups leveraging infostealers including APT29, Lapsus$ and Scattered Spider.

Days after Crowdstrike announced it had accidentally issued a faulty software update to its Falcon customers resulting in global outages for Windows users; hackers began distributing a new infostealer dubbed ‘Daolpu’ via a fake recovery manual to those impacted across multiple industries including retail, food and beverage, fashion and consumer goods. The campaign leveraged phishing as its primary attack vector, with a Word document attached instructing recipients to use the ‘new recovery tool that fixes Windows devices’.

Macros contained inside the document when enabled, downloaded a base64-encoded DDL file from an external resource and drops it to '% TMP%mscorsvc.dll.' The macros then used Windows certutil to decode the base64-encoded DLL, executed to launch the Daolpu stealer on the compromised devices.

The infostealer then harvested credentials, browser history and authentication cookies stored in Chrome, Edge and other popular web browsers.

***Microsoft has released a custom recovery tool for those impacted.

Key Malwares

• Lumma - TA547, a financially motivated cyber criminal threat considered to be an initial access broker (IAB), known to target geographic regions and known for delivering NetSupport RAT and payloads including StealC and Lumma Stealer.

• Rhadamanthys - threat actors leverage AI to generate malware to spread the Rhadamanthys infostealer. The script and accompanying Rhadamanthys payload found to be part of a malicious phishing email campaign, targeting businesses including popular German retailer METRO through fake invoices.

• Raccoon - modular C/C++ binary designed to infect Windows-based systems, and known to target browser autofill passwords, history, and cookies, credit cards, usernames, passwords, cryptocurrency wallets, and other sensitive data.

***Dark web marketplaces including Genesis and Russian market are renowned for organising infostealer logs to allow quicker search times by cyber criminals looking to target specific organisation’s and industries for financial gain.

Key Threat Actor TTPs: FlashPoint - MITRE

• Valid Accounts (T1078): Obtained through information stealer logs, either in Telegram channels, subscription services, or venues like Russian Market.

• Command and Scripting Interpreter (T1059): Executes commands to deploy the malware.

• Obfuscated Files or Information (T1027): Avoids detection through obfuscation techniques.

• Credentials from Password Stores (T1555): The information-stealing malware extracts passwords from stores.

• Query Registry (T1012): The information-stealing malware gathers additional system and user information. 

• Data from Information Repositories (T1213): The attacker collects data from various information repositories. 

• Exfiltration Over Web Service (T1567): The data is exfiltrated to an external web server controlled by the attacker.

• Data Encrypted for Impact (T1486): The exfiltrated data is encrypted or compressed before exfiltration.

Malicious social media ads give rise to infostealers

In July 2024, a new report was released by security researchers, about social media platform Facebook ‘Malvertising Epidemic’ describing how threat actors were leveraging it to deploy infostealer malware to obtain crypto wallets and passwords, alongside credentials to control legitimate accounts and further spread malware.

Campaigns to deploy infostealers through social media begin with creating fake advertisements pertaining to real-world issues, such as celebrity culture, sports, money-off promotional deals and so forth. The idea is to entice users into clicking on the ‘download’ link attached to the advertisement, inadvertently starting a chain of infection.

After clicking ‘download’ users are redirected to a webpage hosted on a legitimate platform such as Google Sites, however by first clicking on the link this triggers the redirection process leading to a malware repository specifically set up by the threat actors. Similar campaigns also take place on LinkedIn, Instagram and other popular social media platforms.

Ducktail malware - used specifically against fashion brands. Ducktail first emerged a little over 12 months ago, spreading on social media platform Facebook targeting business account users through spear-phishing emails. Threat actors specifically wanted to obtain admin privileges on Meta’s business service, and conducted prior research to scope out users before launching full-scale cyber attack.

Retail and fashion brands were impacted because the malware was being hosted on public cloud file storage services and delivered as an archive file alongside popular images, text, and video files pretending to promote brands and product marketing.

From here, the malware was able to steal browser cookies and take advantage of authenticated Facebook sessions to steal the information needed to victims and access accounts.

Ducktail campaigns also involve going after job seekers on social media platforms such as Facebook, trying to exploit users by impersonating offerings from global brands such as L’Oréal, Fendi and Prada and retailers Gap, Mango, Macy’s and Uniqlo.

Mitigations for retailers and fashion brands:

• Employ phishing awareness training and ensure employees know they can use the ‘Report Phishing’ option in Outlook.

• Endpoint security solutions such as network segmentation and firewalls.

• Monitor access control, only accept from trusted locations and specific IP ranges, while making sure to monitor and educate employees about logging out of sessions online, and clearing browser cookies, not saving entries.

• Transparency and communication is needed across the retail and fashion value chain, thinking about third-parties and contractors, ensuring security standards are met through regular auditing and compliance checks.

• Monitor illicit marketplaces on the dark web for leaked credentials and stolen logs, alongside public facing platforms including Telegram and log shops.

Mitigations for customers:

• Passwords - private and sharing them can put your data, identity and devices at risk. Children may find it tempting to share passwords with their friends, but this is not cyber secure.

• Software updates - Antivirus can be downloaded onto devices. 

• Download and use a VPN to hide location/hide IP and physical location (Google Play Store and Apple Store have free versions including some features on NordVPN).

• MFA is when you use two or more proofs of identity to log in. For example, using your login details as well as an authentication code. Additional forms of MFA include a PIN, secret question, fingerprint, biometrics (also helps protect against deepfakes/AI). Authenticator App (Microsoft downloadable from Google Play Store and Apple Store), and SMS notification.

• Log out of sessions online, and clear browser cookies, not saving entries to avoid be at risk of credentials being stolen through malware deployment.