What are infostealers?
Cyber attacks and digital threats are omnipresent these days. One of the most dangerous types of malware that affects both private individuals and companies is the so-called Infostealer. This malware aims to steal confidential information and therefore poses a significant threat to IT systems and individuals. This information includes login data, passwords, bank details, credit card information and other personal data.
What are infostealers used for?
The captured information is transmitted to the attacker, who can use it for various illegal activities such as identity theft, financial fraud or the sale of this data on the darknet. For example, criminals can log into online accounts such as email, social media, e-banking and other services without authorisation in order to take them over. Or they can open new accounts in the victim’s name, for example to make purchases via these accounts.
Stolen credentials are also used to gain unauthorised access to corporate networks via remote access services such as Virtual Private Networks (VPNs) and Microsoft Office Web Access (OWA). This unauthorised access can lead to the exfiltration of sensitive data or the use of ransomware, which can result in significant financial losses and reputational damage. Although the name ‘Infostealer’ refers to data theft, this malware has evolved over time to include the deployment of additional tools and malware.
Where do Infostealers originate from?
Infostealers are distributed via special forums and markets on the dark net, with the volume of logs or collections of stolen data for sale increasing at an alarming rate. On Russian Market alone, the total growth between June 2021 and May 2023 was 670%. As of May 2023, Russian Market offered five million logs for sale, about ten times more than its nearest competitor 2easy. Russian Market is very well established among Russian cybercriminals and is widely used by attackers from all over the world. There is also evidence that the website is actively adapting to the ever-changing cybercrime landscape.
Infostealers are often offered on a subscription basis, with prices ranging from USD 50 to USD 100 per month. In many cases, the price includes access to a command and control (C2) server operated by the developer, as well as features for viewing, downloading and sharing stolen data. Even hosted stealer C2 servers are available and are usually sold for a flat fee.
The marketplaces used are often only accessible via Tor or the anonymisation services of the Invisible Internet Project (I2P) and usually have strict rules and specifications regarding the types of information that may be traded. The offers are usually only accessible to members.
What types of infostealers are there?
Infostealers became known in 2006 with the ZeuS Trojan, which targeted online banking credentials. After the release of the ZeuS source code in March 2011, the popularity of this type of malware continued to grow and several variants of the Trojan were created. The following three variants are currently among the most popular:
Infostealers commissioned by the state
Infostealers are not only used by cyber criminals. As Infostealers are capable of discreetly and efficiently exfiltrating sensitive data from target systems, they are often used by states and their intelligence services focussing on cyber espionage operations.
For example, Chinese groups with a state mandate have used Infostealers to spy on various state and public institutions in Asia. Among other things, keystrokes were logged and screenshots recorded.
The Infostealer ecosystem
The successful development and use of Infostealers involves a variety of tasks, which means that there are different roles and responsibilities when using Infostealers.
In addition, the emergence of malware-as-a-service has prompted developers to constantly improve their products and address a wider range of customers. For example, Russian Market offers its users the ability to pre-order stolen credentials for a specific organisation, company or application. This allows cybercriminals to take a very targeted approach.
Developers
Malware developers are responsible for writing and maintaining the code that is packaged and sold on underground forums.
Initial Access Brokers (IABs)
IABs are individuals or groups who rent access to tools from MaaS operators. They then use these infostealers to infect systems via phishing or malicious advertising campaigns.
Customers
Data is purchased for a variety of purposes. Financially motivated cybercriminals can acquire credentials for cryptocurrency wallets, online banking or other financial services and misuse them for fraudulent withdrawals or transactions. Ransomware groups often target Infostealer protocols, as credentials for RDP, VPNs and corporate accounts can provide initial access to organisations before the data is exfiltrated and encrypted.
Log parser
Some marketplaces offer an integrated parsing function as a browser extension that gives customers access to device fingerprints and data. Other marketplaces such as Russian Market and 2easy sell raw logs. These need to be parsed in order to interpret and utilise the content. This has created a secondary market for individuals to sell parsing tools to customers who have either used Infostealer and want to sell structured data, or to buyers who are in possession of large raw logs.
How can you protect yourself from infostealers?
Phishing campaigns are one of the biggest attack vectors for infostealers. It is therefore essential to protect yourself comprehensively against these threats. NoSpamProxy offers a range of features with which you can protect yourself against phishing attacks.
Not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company from cyber attacks. Request your free trial version now!