• Wachsende Bedrohung durch Infostealer

The growing Infostealer threat

Stefan Feist | Technischer Redakteur
Author: Stefan FeistTechnical WriterConnect on LinkedIn

The threat from infostealers is growing: an increase of more than 650% illustrates the explosive nature of the current situation. Find out which types of malware are most prevalent and how you can protect yourself in our blog article.

31.07.2024|Last edited:31.07.2024

What are infostealers?

Cyber attacks and digital threats are omnipresent these days. One of the most dangerous types of malware that affects both private individuals and companies is the so-called Infostealer. This malware aims to steal confidential information and therefore poses a significant threat to IT systems and individuals. This information includes login data, passwords, bank details, credit card information and other personal data.

What are infostealers used for?

The captured information is transmitted to the attacker, who can use it for various illegal activities such as identity theft, financial fraud or the sale of this data on the darknet. For example, criminals can log into online accounts such as email, social media, e-banking and other services without authorisation in order to take them over. Or they can open new accounts in the victim’s name, for example to make purchases via these accounts.

Stolen credentials are also used to gain unauthorised access to corporate networks via remote access services such as Virtual Private Networks (VPNs) and Microsoft Office Web Access (OWA). This unauthorised access can lead to the exfiltration of sensitive data or the use of ransomware, which can result in significant financial losses and reputational damage. Although the name ‘Infostealer’ refers to data theft, this malware has evolved over time to include the deployment of additional tools and malware.

Where do Infostealers originate from?

Infostealers are distributed via special forums and markets on the dark net, with the volume of logs or collections of stolen data for sale increasing at an alarming rate. On Russian Market alone, the total growth between June 2021 and May 2023 was 670%. As of May 2023, Russian Market offered five million logs for sale, about ten times more than its nearest competitor 2easy. Russian Market is very well established among Russian cybercriminals and is widely used by attackers from all over the world. There is also evidence that the website is actively adapting to the ever-changing cybercrime landscape.

Infostealers are often offered on a subscription basis, with prices ranging from USD 50 to USD 100 per month. In many cases, the price includes access to a command and control (C2) server operated by the developer, as well as features for viewing, downloading and sharing stolen data. Even hosted stealer C2 servers are available and are usually sold for a flat fee.

The marketplaces used are often only accessible via Tor or the anonymisation services of the Invisible Internet Project (I2P) and usually have strict rules and specifications regarding the types of information that may be traded. The offers are usually only accessible to members.

What types of infostealers are there?

Infostealers became known in 2006 with the ZeuS Trojan, which targeted online banking credentials. After the release of the ZeuS source code in March 2011, the popularity of this type of malware continued to grow and several variants of the Trojan were created. The following three variants are currently among the most popular:

  • RedLine Infostealer

    RedLine is the best-selling protocol on Russian Market and was launched in March 2020. RedLine is offered as a standalone version or as a subscription. In March 2023, standalone versions (the ‘PRO’ version) were offered on Telegram for 900 US dollars, subscriptions for 150 US dollars per month or 400 US dollars for three months.

    RedLine steals information from web browsers, including saved login credentials, autocomplete data, credit card information and cryptocurrency balances. When RedLine runs on an infected system, it collects information about the user name, location data, hardware configuration and installed security software.

    RedLine is distributed via cracked games or cheats, applications and services, phishing campaigns and malicious adverts. Malicious Microsoft OneNote files or YouTube (using the SM Viewbot malware) have also been observed to be used for distribution.

  • Raccoon Infostealer

    Raccoon has quickly risen to become one of the most widespread infostealers. It is known for its ease of use and its ability to steal a variety of information, including browser data, cryptocurrency wallets and email accounts. Raccoon Stealer is often sold as Malware-as-a-Service (MaaS) on the darknet.

    The original Raccoon Stealer emerged in 2019. It did not include a distribution mechanism, so customers had to develop a method to install the Infostealer on compromised systems. The Raccoon Stealer panel was hosted on a Tor website.

  • Vidar Infostealer

    Vidar is another widespread infostealer known for its ability to collect a variety of data, including browser data, passwords and cryptocurrency wallet credentials. Vidar is often used as part of malware campaigns distributed via infected websites or phishing emails.

    Vidar primarily serves as an infostealer, but has also been used to spread ransomware. The malware first appeared in 2019 as part of a large-scale malvertising campaign in which threat actors used the Fallout Exploit Kit to spread Vidar and GandCrab as a secondary payload. Vidar is sold on underground forums and Telegram channels as a standalone product, typically for $130 per week to $750 for three months. Vidar offers an administration interface that allows customers to configure the malware and monitor infections.

Infostealers commissioned by the state

Infostealers are not only used by cyber criminals. As Infostealers are capable of discreetly and efficiently exfiltrating sensitive data from target systems, they are often used by states and their intelligence services focussing on cyber espionage operations.

For example, Chinese groups with a state mandate have used Infostealers to spy on various state and public institutions in Asia. Among other things, keystrokes were logged and screenshots recorded.

The Infostealer ecosystem

The successful development and use of Infostealers involves a variety of tasks, which means that there are different roles and responsibilities when using Infostealers.

In addition, the emergence of malware-as-a-service has prompted developers to constantly improve their products and address a wider range of customers. For example, Russian Market offers its users the ability to pre-order stolen credentials for a specific organisation, company or application. This allows cybercriminals to take a very targeted approach.

Developers

Malware developers are responsible for writing and maintaining the code that is packaged and sold on underground forums.

Initial Access Brokers (IABs)

IABs are individuals or groups who rent access to tools from MaaS operators. They then use these infostealers to infect systems via phishing or malicious advertising campaigns.

Customers

Data is purchased for a variety of purposes. Financially motivated cybercriminals can acquire credentials for cryptocurrency wallets, online banking or other financial services and misuse them for fraudulent withdrawals or transactions. Ransomware groups often target Infostealer protocols, as credentials for RDP, VPNs and corporate accounts can provide initial access to organisations before the data is exfiltrated and encrypted.

Log parser

Some marketplaces offer an integrated parsing function as a browser extension that gives customers access to device fingerprints and data. Other marketplaces such as Russian Market and 2easy sell raw logs. These need to be parsed in order to interpret and utilise the content. This has created a secondary market for individuals to sell parsing tools to customers who have either used Infostealer and want to sell structured data, or to buyers who are in possession of large raw logs.

How can you protect yourself from infostealers?

Phishing campaigns are one of the biggest attack vectors for infostealers. It is therefore essential to protect yourself comprehensively against these threats. NoSpamProxy offers a range of features with which you can protect yourself against phishing attacks.

  • Checking the sender’s reputation

    Automatic sender recognition enables NoSpamProxy to determine whether an email actually originates from the specified sender. To do this, NoSpamProxy uses the sender reputation methods SPF, DKIM, DMARC and ARC. In order to provide targeted protection against phishing and CEO fraud attacks, a comprehensive check of the Header-FROM (the header of an email) is also carried out.

  • Level of Trust

    With the help of Level of Trust technology, NoSpamProxy learns who you or your company’s employees are contacting. Points are awarded based on a variety of characteristics, which are used to calculate the level of trust in a communication partner. However, Level of Trust is more than just a dynamic whitelist: NoSpamProxy Protection also scans outgoing emails and assigns trust points to the recipients of these emails. In this way, desired communication relationships are learnt.

  • Content Disarm and Reconstruction

    The handling of email attachments is a decisive factor in the fight against malware. With NoSpamProxy, attachments in Word, Excel or PDF format are automatically converted into non-critical PDF files based on rules. Any malicious code is removed and the recipient is sent an attachment that is guaranteed to be harmless. The PDF document optionally contains a preview page with customised information on the reason for the conversion and, if so desired, a link to the original document, which is located in a specially isolated environment.

  • CxO Fraud Detection

    NoSpamProxy’s CxO Fraud Detection compares the sender name of incoming emails with the names of important users in your organisation. In this way, fake emails sent to you or your employees in the name of superiors, employees or customers are intercepted by the spam filter.

  • 32Guards and 32Guards Sandbox

    32Guards is a powerful anti-malware intelligence that quickly and specifically recognises and fends off spam and malware attacks. 32Guards uses the metadata of emails and recognises new attack waves of all kinds in the shortest possible time.

    The 32Guards Sandbox Service adds a crucial layer of protection to your security configuration and prevents you from losing sensitive data, suffering financial damage or losing your ability to act.

Not yet using NoSpamProxy?

With NoSpamProxy you can reliably protect your company from cyber attacks. Request your free trial version now!

Get your free NoSpamProxy trial now!

NoSpamProxy Cloud Update July 2024NoSpamProxy Cloud Update Januar 2023 PreviewWas ist Typosquatting PreviewWhat is Typosquatting?