THE PROBLEM

The Infostealer Pandemic

What are Infostealers?

An information stealer, often referred to as an “infostealer” or simply a “stealer,” is a type of malware, designed to hide itself and secretly collect sensitive data. Its main objective is to extract information from any compromised computer. 

After being executed on a device, infostealers typically collect information such as: 
 
  • Basic information about the infected computer, such as the operating system version, hardware specifications, and a list of installed software. This data helps attackers understand the environment and tailor further attacks. 
  • Passwords saved across all browsers, including login credentials for email accounts, social media platforms, online banking, and other critical services. With these passwords, cybercriminals can gain unauthorized access to various accounts, leading to further exploitation.
  • Credit card information stored in web browsers or specific applications, which can be used to make unauthorized purchases or sold on underground markets for financial gain.
  • Cryptocurrency wallets and their private keys. These keys are essential for accessing and transferring cryptocurrency. If an infostealer accesses these keys, the victim’s digital assets can be quickly drained. 
  • Search history, which can be used to profile the victim and exploit their interests or habits. This data is sometimes used for further phishing attacks or to blackmail the victim. 
  • Files saved on Desktop, Documents and Downloads folders. These locations often contain sensitive documents, personal photos, and other important files. The stolen files might be used for extortion or sold on the dark web.
  • Authentication Cookies stored by web browsers, which can include session tokens. These tokens allow attackers to bypass authentication and gain direct access to accounts without needing a password, enabling them to impersonate the victim and carry out actions on their behalf.
 
infostealer
An example of Infostealer archive. In this case, the infection resulted in the compromise of credentials, cookies and autofills stored on Chrome and Edge, and files stored in the Documents folder. The archive also contains a file listing information about the affected device (such as hostname, IP address, installed software, and more) and user (such as username, privilege level, and more). All these information are sent to the attacker's C2 server.

Infostealers are frequently sold in cybercriminal forums and Telegram groups. Unlike more complex malware that requires advanced skills to develop or deploy, infostealers are often sold with user-friendly interfaces, step-by-step guides, and even customer support. This means that even individuals with little to no technical knowledge can purchase and use these tools to carry out cybercrimes. As a result, the widespread availability of infostealers has expanded their use beyond seasoned hackers to include a broader range of criminals, increasing the overall threat landscape.

Untitled
An example of advertising for a publicly available information stealer, sold on a Telegram channel with evidences of WIndows Defender bypass for a few euros.

Credential Markets and Access Brokers

Information stolen by infostealer malware are sold in bulk on specialized markets called Credential Markets, on cybercrime forums and on Telegram groups. Every day, tens of thousands of logs end up for sale, and more are either leaked or published to advertise these channels. When sold, the price of a log usually ranges from $2 to 20. This huge mole of compromised, low-cost data constitutes a precious resource for opportunistic attackers, which regularly go through logs to collect credentials and authentication cookies that can be used to either launch an attack or re-sold to other threat actors.

The search bar of a credential market. Attackers can search logs by either keyword (such as Citrix, VPN, etc.) or domain, among the other options.
The search bar of a credential market. Attackers can search logs by either keyword (such as Citrix, VPN, etc.) or domain, among the other options.

Access Brokers are threat actors which specialize in gaining access to medium to high value businesses, sometimes escalate privileges, and then re-sell the access to other criminals group such as Ransomware Gangs. Stealer logs represent a primary resource for Access Brokers, since it allows them to gain an initial foothold to a multitude of companies quickly and cheaply compared to other methods.

An access broker selling privileged access to multiple organizations on a notorious cybercrime forum.
An access broker selling privileged access to multiple organizations on a notorious cybercrime forum.

The Hidden Attack Surface

Infostealer malware represents a threat that cannot be handled with traditional methods. It can infect personal computers of employees, which the company has zero visibility on, or even devices owned by contractors. Security software would not block an access obtained with an infostealer, since it is a valid access with legitimate credentials. Multi-factor authentication, while useful, can be bypassed using valid authentication cookies gathered by a legitimate user infected with an infostealer. As a result, log distribution channels constitute a whole new hidden attack surface that cannot be patrolled using traditional security software. Over 50 million accounts where compromised by infostealers in the first half of 2023 alone. Most breach-detection services focus on public breaches and do not cover log distribution channels, leaving companies in the dark about the vast majority of compromised users and assets.

An overview of sources we detected compromised accounts from in Q4 2023. Most breach detection services only cover the green section.
An overview of sources we detected compromised accounts from in Q4 2023. Most breach detection services only cover the green section.

Our Solution

Delfi continuously scans log distribution channels, together with traditional sources, to immediately monitor our customers when their data are compromised. When a match is found between monitored keywords and domains and scraped data, an alert is generated with all the necessary information to remediate the threat before the stolen data are weaponized by threat actors to launch an attack.

This information includes:

  • Compromised accounts and credentials
  • Valid authentication cookies
  • Compromised system information, such as hostname, IP address, location,
  • Active Directory domain
  • Stolen files, if available
  • Infection source (for example, URL a malicious attachment was downloaded from)
  • Date of infection
 

Our platform can be configured in a few minutes, doesn’t need to be integrated in your infrastructure (but can if needed), and immediately provides you with infostealer and account takeover prevention coverage.

Do you want to learn more? Take a look at our product page or contact us to receive a free exposure report and a demo.

Subscribe our newsletter

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.