New Raven Infostealer targets Chromium browsers and exfiltrates via Telegram, experts warn

Security researchers from Point Wild's Lat61 Threat Intelligence team are sounding the alarm about a potent new information-stealing malware dubbed "Raven," which is actively targeting popular Chromium-based web browsers and leveraging the Telegram messaging platform for data exfiltration.

The Raven infostealer exhibits sophisticated capabilities designed to pilfer sensitive information from a user's browser. According to the Lat61 report, the malware specifically targets credentials, cookies, autofill data, and credit card information stored within Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This makes a vast swathe of internet users vulnerable to its attacks.

How Raven operates

Upon successful infection, Raven employs a multi-stage process to extract valuable data. Initially, it meticulously scans the infected system for installed Chromium browsers. Once identified, it proceeds to locate and decrypt stored user data. This includes:

• Login credentials: Usernames and passwords for various online accounts.

• Cookies: Session tokens that can be used to bypass login requirements on websites.

• Autofill data: Personal information like names, addresses, and phone numbers.

• Credit card information: Stored payment details, posing a direct financial risk.

A key characteristic distinguishing Raven is its reliance on Telegram for exfiltration. Instead of traditional command-and-control (C2) servers or email, the stolen data is packaged and sent directly to attacker-controlled Telegram channels or bots. This method offers several advantages to the attackers, including:

• Anonymity: Telegram's encryption and infrastructure provide a degree of anonymity.

• Ease of Use: Attackers can easily manage stolen data and communicate through a familiar interface.

• Evasion: Traditional network security solutions might not flag legitimate Telegram traffic, making detection more challenging.

The emergence of Raven underscores a broader trend in cybercrime. Infostealers are becoming increasingly prevalent due to their effectiveness and the relatively low barrier to entry for attackers. They are often distributed through various vectors, including:

• Phishing emails: Malicious attachments or links disguised as legitimate communications.

• Malvertising: Advertisements that secretly harbor and distribute malware.

• Compromised websites: Legitimate sites injected with malicious code.

• Cracked software/pirated Content: Malware bundled with illicit downloads.

Protecting yourself from Raven and other infostealers

Cybersecurity experts recommend the following measures to mitigate the risk of infostealer infections:

• Keep software updated: Regularly update your operating system, web browsers, and all installed software to patch known vulnerabilities.

• Use strong, unique passwords: Employ complex, unique passwords for every online account and consider using a reputable password manager.

• Enable two-factor authentication (2FA): 2FA adds an extra layer of security, making it significantly harder for attackers to access accounts even if they steal credentials.

• Be wary of suspicious links and attachments: Exercise extreme caution when clicking on links or opening attachments from unknown or unexpected sources.

• Use reputable antivirus/anti-malware software: Ensure your security software is up-to-date and actively scanning your system.

• Regularly clear browser data: Periodically clear cookies and cached data from your browser, though this should be balanced with convenience.

• Educate yourself: Stay informed about the latest cyber threats and best practices for online safety. You can start by following Tech News Hub on LinkedIn.