Robert Fitzsimons

Part One: The Rise of Infostealer Malware on the Dark Web

In the first half of this two part blog series, Rob Fitzsimons, Lead Threat Intelligence Engineer at Searchlight Cyber, dives into infostealer malware, explaining how they work and the damage they can cause to organizations.

Understanding the infostealer threat

In February, a report by IBM revealed that identity theft is now the leading attack vector enabling cybercrime around the world. From the report, the key findings were:

  • Infostealer malware activity increased by 266 percent.
  • Data theft and leak incidents rose to 32 percent of cyberattacks, moving past extortion as the largest impact.
  • Breaches involving compromised credentials required 190 percent more effort to remediate than average.

So, what is infostealer malware and what damage could it cause to your business?

What is an infostealer and how does the malware work?

Infostealers are a type of malware, designed to be persistent and benign, and collect a wide range of sensitive information from infected devices. This includes the normal targets of data-driven cybercrime, like personal details, financial information, and login credentials, to name but a few.

User devices are often compromised by using phishing emails with harmful attachments (MITRE ATT&CK Technique T1566), fake software updates (T1072), malicious advertisements on legitimate websites such as social media or fake applications (T1566.003).

Once installed by the user on the unsuspecting device, this type of malware can bypass detection by anti-virus software (T1027). Masquerading as legitimate applications (T1036.004), they generally enable themselves to reside within a compromised device for a period of time, sufficient enough to collect and transfer user data to a server operated by the attackers.

The stolen sensitive data is then packaged up and exported, ready to be used for financial gain. It will then be sold on an autoshop for a relatively small price, usually in the region of $10. Alternatively, if the infostealer has collected very valuable information, prices can increase to several hundred dollars, although this is not overly common. This information will be disseminated on Telegram and dark web hacker forums, and be utilized by threat actors during the reconnaissance phase (T1597).

The origin of infostealers

The origins of infostealers trace back to the 1990s when – in the early days of the internet – infostealers targeted personal computers, with the malware often distributed via email attachments, software downloads, or websites. Trojans then emerged in the 2000s, capturing sensitive information such as usernames, passwords, credit card numbers, and banking information. They used advanced techniques to stop financial transactions, and manipulate online banking sessions.

From the late 2000’s infostealer malware grew and increased its capabilities, covering healthcare, retail, and government industries and became prevalent with stealing corporate data.

Today, infostealer malware is evolving with technological advancements and sophisticated cybercriminal tactics. They use techniques such as ambiguous language, encryption, and polymorphism to remain hidden and have become a persistent threat.

What damage can an infostealer cause to organizations?

An infostealer can have a huge impact on all businesses, no matter their size. While smaller organizations have limited resources when it comes to mitigating the risk of malware, bigger businesses may have a large and sophisticated technology stack that can leave them complacent.

Here are some of the ways in which infostealers can affect a business:

Data breaches

Infostealer malware is designed to steal sensitive information, such as customer data, financial records, intellectual property, and login credentials. A data breach can expose an organization’s sensitive information, which could lead to legal action, loss of customer trust, and reputational damage.

Financial loss

Malware can cause downtime and productivity loss, which will disrupt business operations. The stolen data could also be used by criminals to conduct more sophisticated attacks that have a greater financial impact. For example credentials stolen by an Infostealer could enable a hacker to gain access to a company’s infrastructure to conduct a ransomware attack.

Identity theft

The harvesting of personal information by infostealers can lead to identity theft and fraudulent activities. This can affect any individuals involved as well as financial losses for the business.

Loss of intellectual property

Businesses rely heavily on intellectual property and information of their latest ideas, products or solutions. Infostealers can target specific organizations and compromise their intellectual property with a view to ruining their competitive advantage, ultimately leading to a loss of revenue.

Compliance issues

If client data is compromised and stolen, businesses can face legal and regulatory consequences, ending in hefty fines for failing to protect sensitive data.

Fraud

The information contained within infostealer logs can be extremely valuable to an attacker. It can provide insights into individuals habits, which can enable criminals to build a better understanding, should they want to target them in a spear phishing campaign.

Initial access

Criminals will spend time in the recce phase of an attack and analyze the whole data set. This enables the threat actor to conduct password analysis, looking at ID patterns and password reuse, and the information will then be used to conduct a dictionary attack against systems. To attempt to gain access to any public facing infrastructure such as VPNs or login portals, cybercriminals will use the likes of:

  • Email addresses.
  • Passwords.
  • Financial information.
  • Installed software.
  • Cookies.
  • Types of antivirus

They will then escalate privileges and compromise the network further once access has been achieved.

In part two of this blog, we’ll delve deeper into how an infostealer can be identified and prevented, and share a case study of how a global professional services firm used dark web monitoring to identify and mitigate an infostealer attack on their infrastructure.


 

Stay on top of the latest cybersecurity news:

Sign up for our cybersecurity newsletter to get the latest cybersecurity news, insights, and dark web intelligence straight to your inbox, plus exclusive first access to Searchlight’s reports, blogs, and much more.

Sign up for our cybersecurity newsletter