Information-stealing malware (or infostealers to their friends) are a kind of malware designed to steal sensitive information from an infected device, also known as a bot. Once stolen, the malware creates records of the stolen information, known as logs, and then attackers monetize these harvested logs either by selling them on, or launching a direct attack using these logs for initial access, such as ransomware. Examples of infostealers include RedLine Stealer, Raccoon Stealer, Vidar, Meta Stealer, Lumma, Stealc and RisePro. 

How do infostealers infect devices, what information can infostealers harvest, and how does this information compromise your organization’s security? Keep reading for the answers. 

Get eBook: The Rising Threat of Infostealers – Download Here!

Who is Susceptible to Infostealers, and How?

The short answer is, anyone could be the victim of infostealers. Today’s bad actors are opportunistic, and are looking for any avenue to a pay day. It’s easier than ever to sell logs, and while some attackers may be looking for specific targets due to political or personal motivations — most are happy to launch attacks wherever weaknesses can be found. Traditional defenses aren’t much of a protection either, as devices infected by infostealers may well have EDR deployed at the time of attack. 

As a result, infostealers (easily available for cybercriminals to buy on subscription for as little as a few hundred dollars per month) could lead to an attack on any person or organization. It is often delivered through malvertising that redirects users to malicious websites, SEO poisoning where these malicious sites appear at the top of search results, through phishing emails in an employee’s inbox, or via downloading a poisoned software update or what appears to be an innocent download, such as cracked software, game cheats, and more.. 

Some attackers pay a service to distribute and install malware on compromised devices on their behalf, where threat actors who have the means and access to infect multiple targets are given the tools and technical support to do so in return for a fee or a share of the logs. 

What Do Infostealers Harvest, and How Does That Make Money?

So, a device has been infected — what happens next? Infostealers can harvest a wide range of information, from financial data such as credit card numbers and bank details, to passwords and login credentials for email accounts or online services such as Salesforce, Jira, Slack, VPNs, Active Directory and more. Bots can deliver PII including social security numbers, cryptocurrency wallet details, and system information for the infected device, such as OS, software installs, hardware specs and more.  When an attack is launched against a third-party service like the Snowflake attack, it can be even worse. Threat actors’ can leverage infostealers’ data to attack multiple companies at the same time using the same method (in this case 165 companies were affected, with credentials to Snowflake’s instances stolen through infostealers and later leveraged by the attackers to target Snowflake’s customers).

Once logs have been harvested, it’s time for an attacker to think about how they are going to monetize the logs they have collected. Depending on the type of attack, threat actors would be interested in different kinds of data. Bank details could allow an attacker to steal money directly from a compromised account, while passwords and login credentials could provide initial access to launch a more advanced attack, such as ransomware. 

Luckily for those who are looking to sell their logs for a quick pay day, the cybercrime underground has plenty of easy options, including: 

• Botnet markets: Depending on the kind of logs you’ve harvested, attackers could get a pay day of anywhere from $0.50 to $40 per record, or even more on a botnet market such as RussianMarket. This is particularly useful for attackers who are looking to sell specific data and logs which they believe to be in high demand. Uber’s 2022 breach may have started with the use of a valid username and password which were published on RussianMarket that same month, where logs indicated at least two Uber employees were using devices infected by infostealers Racoon and Vidar. 
• Clouds of logs: Often hosted on Telegram, attackers sometimes utilize a subscription model where full access to all credentials from compromised machines can be accessed for a monthly fee. Think Netflix for compromised accounts, and you’re close. One perk of this approach is that threat actors receive a larger amount of logs for a smaller price, rather than buying them one by one. 
• ULP (url:login:password) files: Credentials extracted from infostealers logs can be combined in credential lists that can have millions of lines of usernames and passwords with a corresponding URL attached, making it easy for attackers to launch a campaign. These are known as ULP files. 

Where Does Identity Security Come in When Protecting Against Infostealers?

As infostealers are built to function under the radar, the first time you may realize your organization has been compromised could be once an attack has been launched using valid account credentials. If you think you’re safe, think about how valid accounts are now cybercriminals’ most common entry point into their victim’s environments, experiencing a 71% increase in 2023. The impact is also immense. Breaches involving compromised credentials take an average of 292 days to detect and contain—longer than any other attack vector—and cost organizations around $4.81 million per incident.

MFA doesn’t always help, as threat groups such as Lapsu$ and Scattered Spider are known to bypass MFA through MFA fatigue, social engineering and sim swapping attacks. In addition, cookies can also be stolen which can make MFA ineffective. Once in possession of the cookie, attackers can simply inject this into their browser, often using antidetect browsers, and fully impersonate victims to gain unrestricted access, a practice known as session hijacking.

It’s clear that obtaining earlier visibility is crucial. These attacks aren’t coming out of nowhere. They take careful planning and coordination of different threat actors with varied specialties, and are launched according to known Tools, Tactics and Procedures (TTPs), and with the use of common infostealers, and often by established threat groups. Logs are distributed on known channels, markets and platforms. You’re just not seeing it happen. But we are. 

Over the Past Year, KELA has Intercepted Over 2B Unique Compromised Account Credentials 

This is where identity security solutions such as KELA’s Identity Guard comes in, tracking the cybercrime underground in granular detail, allowing your organization to:

• Intercept compromised assets and accounts related to your organizations domains, IPs, emails and SaaS applications by monitoring botnet markets, Telegram channels and other dark web sources.
• Pre-empt and prevent attacks by automating actions such as quarantining infected machines, password resets for compromised accounts, MFA enforcement and more. 
• Remove stolen credentials from markets with take-down services often offered by security vendors.
• Uncover the TTPs and behaviors of existing threat actors, listening in on their plans, processes and methodologies for current and future attacks. 
• Visualize the infostealer landscape, including new tools and malware strains, Malware-as-a-Service offerings and more. 

To check now to see if your organization has been compromised in the cybercrime ecosystem, start your free trial of KELA’s threat intelligence platform.