Infostealer malware, also known as information-stealing malware, has a rich and nefarious history of cybercrime and cyberattacks. Like a sneaky robber, it hides on computers, unnoticed. Infostealer malware’s origins can be traced back to the early days of computer viruses and malware, which were particularly prevalent during the 1990s and early 2000s.
Decades later, infostealer malware is still on the rise and continues to impact organizations through relatively unsophisticated methods, despite the maturation of the security industry. Why is this, and what can be done?
Origins of Infostealer Malware
Infostealer malware, short for information-stealer, is a type of malware that primarily aims to collect and exfiltrate sensitive information. It typically targets login information, bank details, cryptocurrency wallets, and personally identifiable information such as SSNs and dates of birth. The pilfered data is a valuable resource for hackers, who may exploit it for identity theft, taking control of online profiles, or carrying out monetary assaults.
Most often, this is accomplished via searching for file names and extensions that have been identified as valuable, as well as directly targeting applications known to contain sensitive information, mainly browsers and messaging applications.
Infostealer Malware Development
The development and distribution of infostealer malware closely follow the rise of MaaS (malware as a service) models. These have become increasingly popular in cybercrime circles over the past few years.
An individual or a group creates the malware builder or executable and then offers it for sale to less experienced attackers on darknet markets or Telegram groups. This allows less-skilled attackers to distribute their purchased payload as they please, often through popular methods like phishing or malicious advertisements.
Key Players in Infostealer Malware
Redline, Vidar, and Raccoon Stealers are a few notable players who have long dominated the Infostealer scene. The strains all employ similar methods: they function by dumping saved credentials, session cookies, and saved payment methods within the browser, giving attackers access to the associated accounts. Session cookies will allow attackers to bypass multifactor authentication (MFA) solutions.
Threat actors will also attempt to hijack crypto wallets and Discord accounts, which are then used for further propagation of the malware. After taking over an infected machine’s Discord account, automated messages will be sent to the user’s contact list, prompting them to download the executable to start the cycle all over again.
Spray and Pray
In the minds of cybersecurity professionals, infostealer malware has been disregarded as an issue for consumers rather than organizations due to its “spray-and-pray” method of infection and wide availability. However, that same logic, if reversed, is the exact reason why organizations should be aware, cautious, and prepared for these infections.
As with many malware types, all it takes is one wrong click on a phishing attachment or malicious advertisement to publish sensitive data such as PII or even corporate login credentials to the darknet markets. With the seemingly endless number of malicious sites and emails, infection becomes even more likely.
Recommendations For Fighting Infostealer Malware
Stopping infostealer malware is similar to preventing typical infections from RATs or other malware. AV and EDR tools are typically tuned in to the IOCs and TTPs associated with the larger names in the infostealer scene. However, no single tool should be the only measure of prevention of infection or the mitigation of post-infection activities.
Cybersecurity threat hunters frequently observe first-hand the failings of signature-based and even behavioral or heuristic tools. This is not to say these tools are useless or unnecessary, but rather that it is crucial to implement several layers of security to prevent these infections. Adding tools such as network DLP, email attachment defenses, and proactive security monitoring/threat hunting will significantly increase the chances of stopping these attacks in their tracks.
Here are some effective mitigations that are recommended to keep infostealer malware from gaining a hold in your environment:
Email Security
Infostealers are most commonly distributed via phishing and malspam campaigns, making email (more specifically, attachment-based security tools) a good first line of defense against these infections.
As a common tactic by threat actors to get around typical signature-based email attachment security, blocking emails with a.zip archive attachment from unknown senders is a good first step.
As always, phishing awareness training is another crucial step to prevent infection should a malicious email sneak through.
Web Security
Malvertising, or malicious advertising techniques, is another attack vector that info thieves frequently use.. These techniques employ search engine ads in order to pose as legitimate and popular software downloads, which have been replaced with an infostealer.
Web filtering is another tool which should be added to the lineup to prevent accidental trojanized downloads.
Endpoint Protection
AV and EDR tools provide a secondary layer of host-based detection and mitigation should a download get through the previous layers. These tools will typically detect the larger names in the infostealer scene, whether through signature-based or heuristic detections.
A combination of both detection types is a great way to ensure malware is caught at time of download, or at runtime. However, these tools are not an end-all solution, there are many tactics that be employed by threat actors to evade these defenses.
Network Security/DLP
Network security tools, specifically DLP in the case of infostealers, can prevent the sensitive data collected from leaving the network and making it back to the attacker.
Detection of exfiltration over encrypted protocols such as HTTPS can be difficult; however, some tools, such as TLS inspection, can be employed.
The author
Malachi Grimes is a Threat Analyst at Novacoast with a background as a SOC analyst and experience in digital forensics, incident response, and malware reverse engineering.