Everything You Need to Know About Infostealers

Information stealer (infostealer) malware has emerged as a critical tool in the cybercriminal arsenal, posing a significant threat to individuals and organizations alike.

In recent years, there has been a dramatic surge in the prevalence and sophistication of these malicious programmes.

A 2024 report by Kaspersky revealed that approximately 10 million personal and corporate devices were compromised by infostealers in 2023, marking a staggering 643% increase over the past three years. This alarming trend underscores the escalating threat posed by these attacks.

Furthermore, a July 2024 study by Constella Intelligence found that a staggering 98% of breaches in 2023 involved the theft of personally identifiable information (PII). Each compromised record contained up to eight critical identity attributes, highlighting the extreme sensitivity of the stolen data.

The impact of infostealer malware extends beyond data breaches. Researchers at SpyCloud have linked the rise in ransomware attacks to the proliferation of infostealers and the increasing exposure of digital identities.

By stealing sensitive information, cybercriminals can target victims with highly personalized ransomware attacks, demanding exorbitant sums for the return of their data.

An infostealer is a type of malware that gathers sensitive information stored on a device to enable an attacker to perform further cybercriminal activity, such as account takeover and identity theft, financial fraud or extortion and ransomware attacks.

Once a computer has been infected, the infostealer uses various techniques to acquire data. The data stolen can include:

• Credentials: computer session logins and passwords, browser login links, usernames, passwords
• Browser data: history data, session cookies, autofill data, saved bank card details
• Messaging and email chat logs
• Documents and text files: financial information, corporate data, secret keys, 2FA backup codes, server passwords, crypto private keys and crypto wallets
• Machine-specific properties: name of the computer, the operating system (OS), the IP address, the date and pathway of infection as well as existing antivirus, endpoint security products and installed applications
• Screenshots

Once installed, an infostealer begins to collect data from the infected system. It can take as little as one minute to collect the targeted data and exfiltrate it to the threat actor’s command and control (C2) infrastructure, via HTTP/HTTPS requests, FTP transfers, email or using APIs to reputable file-sharing sites.

In an episode of the Intel471 podcast, “Cybercrime Exposed,” Quentin Bourgue, Cyber Threat Intelligence Analyst at Sekoia, said: “Infostealers generally do not have what is called ‘persistence mechanisms,’ meaning that once they’ve been used, they may not leave any trace on the compromised device. This is why the effort for defenders should be put into detecting it before the payload is activated, or at least in the first few seconds after activation.”

While we primarily refer to an infostealer as a single piece of malware, most infostealers encapsulate several malware payloads tasked with different missions, such as stealing or hijacking specific components on the device or avoiding detection.

These can include:

• Keyloggers, which provide attackers with every keystroke a user makes
• Form grabbers, which intercept data submitted through web forms before it is encrypted
• Clipboard hijackers allow the attacker to replace or steal information copied in the device’s clipboard
• Remote access tooling
• Memory injection features to execute unauthorised tasks on the device
• Screen captures features that allow the infostealer to take screenshots at crucial moments, such as when a user is entering credentials or viewing personal information
• Browser session hijacking features, which involve stealing cookies and session tokens from a browser’s memory
• File harvesting features, which search through files and emails on the computer to gather information
• Crypto wallet harvesters
• Cryptors, which encrypt the infostealer payload to avoid being detected by security solutions installed on the targeted device

The data collected by infostealers is often sold or traded in centralised ad-hoc marketplaces or decentralised platforms, such as Telegram or hacking forums.

The rise of infostealers is primarily due to their integration into the malware-as-a-service (MaaS) business model. This means that cybercriminals provide access to the malware alongside additional features (administration panel, technical support, access to C2 servers, updates…) for a subscription fee.

The Swiss security provider Proton mentioned infostealers can be sold for as little as $120 per month, while Sekoia’s Bourgue said the figure is likely between $200 and $500.

Buyers can use various methods to distribute infostealers, which fall into two categories: phishing and non-phishing distribution.

Distributing infostealers via phishing campaigns can involve adding malicious attachments or links to emails or spreading the malware via fake messages on platforms like Telegram, for example.

Other non-phishing methods include malvertising, malicious websites and SEO poisoning.

ADVERTISEMENT

While some previously notorious infostealers like Raccoon Stealer and RedLine have seen their activity decline because of law enforcement takedowns, a wide array of infostealers has been used by cybercriminals in 2024.

These include:

• Lumma Stealer (aka LummaC2)
• Vidar, an evolution from Arkei, one of the oldest infostealers
• RedLine
• Medusa
• RisePro

Cybersecurity provider Hudson Rock maintains a website dedicated to exposing infostealers where it shares explainers, stats and analyses of techniques, tactics and procedures (TTPs) on several types of infostealers.

Infostealer malware poses a significant and evolving threat to individuals and organisations alike. These stealthy programs are designed to silently steal sensitive data, including login credentials, financial information, and personal details. As cybercriminals continue refining their techniques, adopting a proactive approach to cybersecurity is crucial.

By implementing strong password hygiene, enabling multi-factor authentication, keeping software updated, and staying vigilant against phishing attacks, individuals can significantly reduce their risk of falling victim to infostealer threats. Organisations must prioritise employee awareness training, network security, and robust data protection measures to safeguard their valuable assets.

The fight against infostealers requires a multi-faceted approach involving individuals, organisations, and cybersecurity experts.

By staying informed about the latest threats, adopting best practices, and continuously adapting to the evolving landscape of cybercrime, we can mitigate the risks posed by these malicious programs and protect our digital identities and sensitive information.

Enjoyed this article? Make sure to share it!

Looking for something else?