Infostealer malware represents one of the most underrated threats to corporate and consumer information security today. These sophisticated remote access Trojans (RATs) silently infect computers and systematically exfiltrate massive amounts of sensitive information from the host to threat actors’ command and control (C2) infrastructure. Their primary targets include:
Once the information has been exfiltrated, it takes the form of a “stealer log,” a single discrete set of information about a user that includes a snapshot of their browser and key details about their computer. Threat actors then distribute these (either as free samples or in exchange for cryptocurrency) across principally, Telegram and Russian Market, where they are then used by other criminal actors to commit financial fraud, steal cryptocurrency, or in some cases breach major companies.
This article will dive deep into infostealer malware and provide readers with a comprehensive picture of the entire infostealer ecosystem, from malware-as-a-service distributors designing new variants of infostealers to how criminals use logs to gain access to key services.
Each infostealer log represents a single user’s stolen data. Different infostealer variants pull different types of data (and malware developers in some cases compete on which data the variant they maintain steals!). For example, one variant may pull clipboard data from the user while another variant may not. There is a constant tension – the more data stolen by the infostealer variant the more likely it is to be detected and stopped by Windows Defender or an anti-virus platform.
An infostealer log with separate .txt files for different types of stolen data
Here’s what’s in the infostealer log above:
Modern infostealers operate within a sophisticated Malware-as-a-Service (MaaS) ecosystem. Key characteristics include:
Telegram post of a redline stealer for sale
MaaS vendors fulfill a critical role in the ecosystem. Malware development is difficult and time-consuming and requires substantial expertise – particularly to get around modern AV/EDR systems. By having specialized infostealer developers maintaining their own code and selling it as a service, they can leverage the economic principle of role specialization while making a significant profit, particularly for developers that build popular variants such as Redline.
After acquiring an infostealer variant, cybercriminals employ various distribution methods to infect victim systems. While multiple approaches exist, the most prevalent involves embedding malware within purported “cracked” software downloads.
Below is the typical attack flow:
While cracked software distribution is common, sophisticated threat actors may employ other techniques:
One particularly interesting campaign occurred in mid-2023 and targeted potential users of the AI platform Midjourney. This campaign leveraged several of the aforementioned features – malicious google ads likely being run from compromised accounts.
A user would search for Midjourney and the first result was the now defunct “ai.mid-journye.org” which was advertised using Google Ads. Clicking on the advertisement would bring the user to a custom build landing page.
The landing page was fairly sophisticated and well designed to entice the user to download the Windows application. Note the highlighted red “it is possible that the computer’s security systems may falsely trigger” and the lack of a MacOS option.
As of November 2024, stealer logs are primarily distributed in four main ways:
Stealer logs for purchase and download
Stealer logs are not all equally valuable. Brand new logs (such as those fed into a live Telegram channel) are substantially more valuable for a number of reasons to include that:
Infostealers have largely flown under the radar for corporate security teams, particularly those at smaller organizations or those with a less sophisticated security posture. Unfortunately they have not flown under the radar for threat actors looking for easy ways to compromise corporate IT environments. But, before we go into the business information security risks that infostealer malware and stealer logs pose, let’s talk about their more common use-cases; namely facilitating fraud and account takeover for monetary gain.
Threat actors are primarily not looking to compromise corporate accounts, nor is it the reason that the vast majority of threat actors use them, instead a typical workflow might look something like this:
1. Threat actors process downloaded logs through specialized “checker” applications that:
The checker tool essentially serves as a triage system, allowing actors to quickly identify and prioritize the most potentially valuable compromised accounts from large batches of logs.
A threat actor uses a checker to identify high-value logs
2. The actor then uses an anti-detect browser to impersonate the victims session on specially selected financial services logs.
Screenshot of an anti-detect browser from a tutorial video on how to impersonate sessions
3. The actor gains access to the account and transfers money or otherwise buys cryptocurrency using the victim’s bank account.
Now what we just covered is one highly specific way threat actors commonly use infostealer logs, but there are infinite possibilities. We’ve seen actors focus on compromising personal email accounts, social media accounts, and even Youtube and Google Ads accounts (which can then be sold back to criminals doing infostealer distribution).
Infostealers (and stealer logs) are one of the most concerning trends for corporate cybersecurity teams today. Why? Millions of employees in the U.S. save credentials from their jobs onto their personal computers and subsequently get compromised by infostealer malware.
We’ve seen thousands of examples to include:
Threat actors (on average) don’t “target” infostealer malware campaigns at corporate employees, but by default if they infect tens of millions of computers, huge numbers of corporate credentials and session cookies are bound to show up. This is well known by ransomware groups and other criminal entities that target businesses. Both ransomware actors and initial access brokers directly leverage stealer logs and infostealer malware infections to gain access to corporate IT systems.
To learn more about thret actors and corporate stealer logs, take a look at our report Stealer Logs, Single Sign On, and the New Era of Corporate Cybercrime.
Infostealer malware is likely one of the most common ways that initial access brokers get into corporate networks. Initial access brokers (IABs) serve as a “white glove” service for ransomware groups and other criminal entities, gaining initial access to a victims corporate systems, then auctioning it off on Russian language cybercrime forums.
Forum post from initial access broker
When there are millions of corporate credentials and session cookies floating around Telegram, it defeats much of the need for threat actors to launch more complicated attacks such as spear-phishing or exploiting vulnerabilities on publicly facing hosts.
An initial access broker advertises logs for sale on the Russian language cybercrime forum XSS
For example, an attack facilitated by an initial access broker might look something like this:
It’s no secret that cybersecurity is adversarial, however in the past decade the nature of offense has changed. The cybercrime economy is vast – stretching into hundreds of millions, and actors ranging from lone wolves to highly coordinated groups leverage it to profit.
The complexity of the ecosystem is a source of its strength. Individual vendors each specializing in particular parts of the attack chain enable role specialization which can create scalability through the “cybercrime assembly line.” If an actor had to design their own infostealer variant, distribute it, harvest credentials, and leverage them it would be a far slower process.
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Our customer Victor Pettersson, CISO at Sokigo, recently said, “Stealer logs have been the [sources] where we have seen the most actionable intelligence regarding leaked credentials.”
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.
The post Infostealer Malware: An Introduction appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.
*** This is a Security Bloggers Network syndicated blog from Flare | Cyber Threat Intel | Digital Risk Protection authored by Flare. Read the original post at: https://flare.io/learn/resources/blog/infostealer-malware/