Robert Fitzsimons

Part Two: The Rise of Infostealer Malware on the Dark Web

In the second half of this blog series on infostealers, Rob Fitzsimons, Lead Threat Intelligence Engineer at Searchlight Cyber explains how you can identify infostealer activity by monitoring outside of your network.

Identifying an infostealer

In the first blog we established what infostealers are and the possible impact they can have on organizations. But how can they be identified if they are designed to be persistent and avoid network security solutions? The answer is to monitor the dark web for infostealer logs that relate to your organization.

This may seem counterintuitive: your network has been compromised but you’re looking externally for the threat. However, the reason for adopting this approach is due to the infostealers’ persistence – which means detecting them internally can be very challenging and time consuming, requiring a lot of time and resources to conduct a broad, hypothesis driven threat hunting investigation.

On the other hand, monitoring externally for infostealer logs related to your company’s domains can help you identify immediately if your organization has been compromised by infostealers and take mitigative action before the logs can be exploited (MITRE ATT&CK Technique T1597).

Infostealer logs provide some essential information that can be used to investigate the source of the breach:

  • Infection file path: Where the infostealer is installed on the compromised device.
  • Infected machine ID: The compromised device information.
  • Device information: Including OS and browser, region and language.
  • Infection time and date: When the device was compromised.

Through this information, an organization with a comprehensive asset identification policy should be able to readily identify the compromised device. Alternatively, if this information is not available, they can start to identify which devices in their network match the OS, have relevant browser information, within a specific region and language, and have been accessed by the compromised user.

Security teams can then conduct more refined intelligence driven threat hunts, reducing the impact on resources, and ultimately the time it will take to identify the compromised device. Once identified, the infostealer malware can be removed and the device secured.

Global Professional Services firm identifies infostealer in their network

We have seen this approach work in action, for example, when a Global Professional Services firm found infostealers within their network by utilizing DarkIQ, our dark web monitoring tool. Once they identified the infostealer logs, the organization conducted investigations to identify the compromised devices and retrace the steps of this infection. 

By leveraging internal network and user activity logs, plus correlating the time and date which the infostealer infiltrated the device, the investigating team were able to rapidly refine the scope of the investigation. This then allowed the security team to request the relevant logs for that specific point in time. 

The organization could then confirm that the malware was downloaded from a specific website offering “Team Viewer” software. After finding the URL, they were also able to see that the link was shared internally by a particular user,  which explained why the spread of this particular infostealer was so abundant in the company.

Through identification of the infostealer logs, the company was able to take several actions:

  • Identify leaked credentials for third party systems, which enabled security teams to review the activity and validate that initial access had not been achieved.
  • Account password reset with session revoking and then an Multi-Factor Authentication review for all of the credential combinations exposed (not just their corporate credentials).
  • Identify the malicious site where the malware was downloaded, which they were then able to blacklist. This led to further refinement of blacklisting policies, and a more comprehensive policy to be deployed internally.
  • Understand gaps in cybersecurity awareness training, enabling tailored training to be delivered across the organization pertaining to a relevant scenario.

In this case, monitoring the dark web enabled the company to not only identify the infostealer logs at the earliest opportunity and proactively mitigate a potential threat, but helped to pinpoint areas for improvement. This scenario has helped the company to become more aware of the threat, and enhance their security to prevent future infiltration.

How can you prevent an infostealer?

The best way to ensure your organization isn’t a victim of Infostealer malware is proactive prevention. This can be achieved through a number of steps:

Good cyber security practice:

Introducing and managing effective allow/deny listing can ensure that users who have permission to download third party apps, can only download those which have been approved by the company.

Cyber security awareness training:

Keeping users aware of current threats and advising on how to avoid them, or how to spot malicious sites can be extremely useful in preventing the download of unwanted malware onto user devices.

Monitoring for infostealer logs:

Monitoring common sites where infostealer data is being sold can be extremely useful in the early identification of logs relating to your organization. Being aware of logs for sale can help security teams to proactively investigate their network for suspicious and unusual activity, identifying compromised device and removing the infostealer.

 

Interested in learning more about infostealers? Watch the recording of our “Initial access brokers and infostealers – Your business for sale on the dark web” WEBINAR.


 

Stay on top of the latest cybersecurity news:

Sign up for our cybersecurity newsletter to get the latest cybersecurity news, insights, and dark web intelligence straight to your inbox, plus exclusive first access to Searchlight’s reports, blogs, and much more.

Sign up for our cybersecurity newsletter