Passwords Are Not Safe with CredRaptor in the Wild

Do you value the privacy of your company and the privacy of data that might be very dangerous in the wrong hands? If you do, CredRaptor is the threat that you want to protect yourself and your operating system against. This malware is a password-stealer, and, as you should gather right away, it can be used to record passwords. While it would be terrible to have personal passwords stolen, it might be exponentially worse to have your company’s passwords leaked. It is not fair to state that this malware targets companies exclusively because, in fact, it is much more likely to target government agencies. Of course, regardless of what kind of system is infected, it is crucial to delete CredRaptor.

It appears that the well-known Sandworm (or TeleBots) hacking group is responsible for CredRaptor. Malware experts have found that this password-stealer usually accompanies Win32/Exaramel, which is a backdoor. Quite possibly, it is an enhanced variant of the Industroyer backdoor. Needless to say, Sandworm hackers have been associated with this malware too. In fact, they have many threats under their belt, including Olympic Destroyer, BlackEnergy, and aggressive ransomware (KillDisk Ransomware and Petya Ransomware) that is known for wiping data and encrypting the MBR on Windows instead of encrypting files in a traditional manner. Without a doubt, the more infections that Sandworm attackers create/employ, the more elaborate their attacks might become, and that is the greatest danger.

Although we can never reject the possibility that Sandworm hackers will turn to anyone with a hackable system, it is obvious that they target governments first. In Ukraine, for example, the attackers used malware to leave nearly a quarter of a million people without electricity. This was not that surprising considering that Sandworm hacking group is believed to be part of the Russian military, and they have a very tense relationship with Ukraine post the annexation of Crimea in 2014. That being said, Sandworm has been going after governments all around the world. In 2016, malware associated with this group was used to compromise the elections in the United States. In 2017, the same was done with the elections in France. In 2018, hackers performed attacks against the Winter Olympics in South Korea, and they left a fake trail that led to North Korea. Clearly, this hacking group is ready to go great lengths to mess with foreign governments.

This is why it is believed that CredRaptor will be used to steal passwords from government agencies as well. Unfortunately, even government systems are not always up-to-date and vulnerability-free, which is what usually allows hackers to execute malware successfully. Once that is done, CredRaptor can steal passwords from Chrome, Firefox, Internet Explorer, and Opera browsers. This is one of the reasons why it is not recommended to save passwords on browsers. That being said, even if passwords are stored in Outlook and Windows Vault, they can be read and recorded by the infection. FTP clients are not safe either, and the threat can record passwords from them too. Unfortunately, the implications could be very serious.

If CredRaptor makes it possible for cybercriminals to access government systems, they could be able to leak large amounts of confidential and sensitive information. If this information pertains to regular people, their privacy could be jeopardized too. The domino effect could be activated with only one sensitive password in the hands of cybercriminals. To prevent that from happening, cyber security teams need to ensure that all systems are up-to-date and that reliable security software is set in place at all times. Government employees might need to be educated on virtual security too because, in many cases, system vulnerabilities can be linked to human error. Of course, if the infection is found, removal must be performed immediately, and all passwords must be changed. Also, note that if you need to remove CredRaptor, the chances are that you need to remove other threats as well.


Greenberg, A. November 15, 2019. Here's the Evidence That Links Russia’s Most Brazen Cyberattacks. WIRED.
Cherepanov, A., Lipovsky, R. October 11, 2018. New TeleBots backdoor: First evidence linking Industroyer to NotPetya. ESET.