Infostealer

Infostealers are a form of malicious software, a type of trojan, created to breach computer systems for the purpose of stealing information. They extract a range of data such as login details, session cookies, financial information, and personally identifiable information, and then transmit it to a remote server managed by cybercriminals. This data is often traded on illicit markets to other threat actors. While primarily used by cybercriminals for financial gain, infostealers can also be employed by state-sponsored actors for espionage purposes.

Infostealers can infiltrate a computer or device through methods such as phishing attacks, infected websites, and malicious software downloads including video game mods and pirated software. Once installed, they can swiftly execute and complete their data collection and transmission processes within a short timeframe, typically ranging from several seconds to a minute.

The stolen data is then bundled and sold as logs. These malevolent actors may exploit the acquired information for fraudulent activities or to gain unauthorized entry to diverse resources and assets. This unauthorized access can lead to the theft of sensitive data or the deployment of ransomware, resulting in substantial financial losses and other harms.

Typically operating under the malware-as-a-service (MaaS) model, infostealers are leased by their developers to other parties for a fee. This system allows people with different levels of technical knowledge to deploy an infostealer. The functionality of infostealers can vary, with some solely focused on data harvesting, while others offer remote capabilities that empower threat actors to introduce and execute additional malware on the compromised system.

The inception of modern infostealers can be traced back to early 2007, with the emergence of ZeuS or Zbot. Focused on pilfering online banking credentials, this malware swiftly rose to be one of the most pervasive and sophisticated banking trojans. Following the public release of its source code in 2011, a multitude of new variants proliferated.

Technological progress and the underground economy have contributed to the development and spread of various infostealer variants, as cybercriminals continuously adjust tactics to avoid detection and maximize profits. Currently, infostealers remain a common threat to individuals, businesses, and organizations worldwide. Research by Secureworks discovered that the number of infostealer logs—data exfiltrated from each computer—being sold on the Russian Market increased from 2 million to 5 million logs from June 2022 to February 2023. According to Kaspersky's research in mid 2023, 24% of malware offered as a service are infostealers. Info stealers are being used increasingly in the initial stage for complex cyber attacks, solidifying their position as a major cybercrime threat.

Infostealer malware poses a serious threat by stealing sensitive data like passwords and financial information. This malware is becoming more advanced, making detection and removal harder. The shift to remote work due to COVID-19 increases the risk of infostealers, especially with Bring Your Own Device (BYOD) policies. To protect against this threat, it's recommended to update software regularly, use strong passwords not saved in browsers, be cautious of suspicious emails, be careful about clickings, enabling MFA, and invest in security solutions to detect and block infostealers. These measures can help reduce the risk of compromise.

Functions
An infostealer is designed to secretly gather sensitive information from victims using methods like file enumeration, keystroke logging, browser data extraction, file access, cookie copying, and screenshot capture. The collected data is sent to a server controlled by the attacker.

InfoStealers operate through various methods to target and extract specific data from compromised systems. These malware variants range from simple scripts to complex modular forms, with some using Living Off The Land (LOTL) attacks using native OS tools. These techniques exploit vulnerabilities in data usage, storage, and transmission. Common techniques include the followings:
 * Form grabbing intercepts data entered into web forms or other applications before encryption. This technique is especially effective for capturing login credentials, payment details, and other information.
 * Web injection scripts add fields to web forms for data submission to the attacker's server.
 * Man-in-the-browser attacks inject malicious code into the web browser. This enables intercepting and manipulating information in real-time as users enter data on secure websites.
 * Keylogging records a user's keystrokes. This method captures all typed information, allowing attackers to extract sensitive data like passwords and credit card details at a later time.
 * Clipboard hijacking monitors and alters the content copied to the clipboard. This allows replacing or stealing sensitive information like account numbers or passwords when users copy data.
 * Screen capturing takes screenshots of a user's screen during crucial moments, such as when entering credentials or viewing personal information. This bypasses limitations of text-based data extraction by capturing any information displayed on the screen.
 * Browser session hijacking steals cookies and session tokens from a browser's cached memory. This enables impersonation of the victim's online session, granting unauthorized access to online accounts without requiring a username, password, or MFA.
 * Credential dumping extracts data from user accounts stored on a system, including login credentials saved in web browsers or other client software. If the credentials are encrypted, attackers may try to crack them offline using specialized hardware and software tools.
 * Email/files harvesting
 * Crypto-wallet harvesting searches for common crypto-wallet software in known installation paths to steal private keys. With these keys, attackers can transfer cryptocurrency from the victim's accounts.

Infostealers commonly infiltrate systems via phishing emails, malicious attachments, or compromised websites. Once installed, they operate covertly, posing challenges for detection. These malicious programs use tactics to evade discovery, persist on systems, identify additional targets within a network, and enable remote command execution by attackers. Advanced Infostealers are modular, capable of importing tailored payloads after scanning the environment for valuable data sources.

Modern infostealers often operate as components of botnets, with attack targets and actions remotely configured via commands from a Command and Control server (C&C).

Stolen data
While the specifics of the extracted information may vary across different variants, the primary objectives typically encompass the retrieval of:


 * Saved passwords from various applications including banking, email accounts, social media platforms, VPN, and FTP services.
 * Cryptocurrency wallets
 * Bank account details and stored credit card information
 * Internet browsing history
 * Browser cookies and extension data
 * Catalog of downloaded files, including images, documents, and spreadsheets
 * Screenshots
 * Email communications
 * Details about the operating system
 * Hardware specifications
 * Personally identifiable information including social security numbers, addresses, and phone numbers

Criminals can monetize various items from consumers. Bank card information can be used directly or resold for purchases. Account logins can be used to steal past purchases (such as in-game purchases) or make new ones if linked to a bank card. Account logins can be sold in bulk or individually, such as valuable social media accounts. Photos and documents can be used for blackmail or monetized, like in ransomware attacks or privacy breaches such as 2014 celebrity nude photo leak (which some websites and forums benefited from).

Motivation
Infostealer attacks are usually driven by financial motives. Stolen data is sorted and stored in a database for sale on the dark web or private Telegram channels. Buyers may exploit this data for fraud like applying for loans, making online purchases, or filing false health insurance claims. Compromised login details can grant access to corporate accounts or remote access services for further malicious activities. Infostealers are often used in ransomware campaigns, where attackers spend time in the target system to gather information and credentials for lateral movement and privilege escalation.

Infection/delivery
Infostealers, like other malware, spread through various methods involving social engineering, including
 * Infostealers are often sent via email, either as attachments or through malicious links, impersonating legitimate organizations or individuals
 * Phishing
 * Spear phishing
 * Search engine optimization poisoning
 * Malicious links via other delivery method, including YouTube descriptions, postings in public social network
 * malicious ads, including on popular websites
 * Infected software, including infected game mods and pirated software

Antimeasures
The recommendations to protect the system from infostealers include:
 * 1) Be cautious with clicking: Avoid opening suspicious email attachments or downloading files from untrustworthy websites to prevent infostealer infections.
 * 2) Keep software updated: Regularly update browser, operating system, and applications to patch known vulnerabilities exploited by infostealers.
 * 3) Enhance browser security: Use browser extensions to block malware distribution websites and phishing attempts.
 * 4) Implement multi-factor authentication: Add an extra layer of security to prevent unauthorized access even if login credentials are compromised.
 * 5) Avoid pirated software: Steer clear of pirated software as they often contain malware; opt for legitimate software alternatives to reduce the risk of infostealer infections.

For organizations, to effectively detect and respond to infostealers, traditional security measures may not be sufficient. Researchers discovered that 20% of recaptured infostealer malware logs came from systems with installed antivirus programs.

Relation to other attacks
Credential stuffing is an automated attack that uses a combolist of previously breached credentials for websites and applications. These combolists may now include data from infostealer malware, which extracts recent authentication information like usernames, passwords, email addresses, browser cookies, and autofill data from infected devices. This fresher data from infostealers can enhance the success of credential stuffing attacks if the exfiltrated data is not effectively addressed.

Underground marketplace
Specialization is a notable trend in the dark web, where various threat actors now focus on specific aspects of cybercrime rather than handling the entire process. Unlike the past when a single entity managed the entire operation, today's landscape features multiple specialized actors offering their services to interested parties for a fee.

An illustration of the previous model is the Zeus banking malware, where a single group developed, distributed, and profited from the stolen data. In contrast, contemporary cybercrime allows for individual participation in the theft of data with lower entry barriers. This evolution enables even individuals to engage in cybercrime activities, resembling a cybercrime startup industry.

Infostealers are often sold as a monthly subscription service on underground forums and marketplaces, with prices ranging from $50 to over US$1,000 per month for access to a stealer command and control server. These services include support functions for viewing, downloading, and sharing stolen data. Underground forums provide a platform for threat actors to discuss projects, request features, and review malware, as well as advertise and sell stealers. These forums have strict rules and may offer escrow services for transactions. Marketplaces offer infostealer logs for sale, accessible through anonymity services like Tor or I2P, with regulations on traded information. After-action tools are also available for parsing and extracting data from stolen logs, catering to cybercriminals looking to use infostealers.

Overall, these platforms illustrate the evolving landscape of cybercrime, where marketplaces adapt to law enforcement actions and exploit technological features to facilitate illicit transactions.

Russian Market
Russian Market is the largest underground marketplace for infostealer logs, boasting over five million logs for sale as of February 2023, 10 times the number of its nearest rival. It predominantly offers logs from infostealers such as RedLine, Raccoon, Vidar, and recently RisePRO, though it has ceased selling Taurus and AZORult logs. In October 2022, the marketplace introduced a preorder feature, requiring buyers to deposit US$1,000 for potential future access to credentials based on specific domains or applications.

Visitors can search for inventory based on the type of malware used, victim operating system, and victim location. Victim data was sold for an average price of $10 per log. The total number of logs available for sale on this market increased by almost 40% from around 3.3 million to 4.5 million between July and October 2022.

Genesis Market
Genesis Market, an invite-only platform, focuses on selling bots rather than logs. These bots, infected with infostealer malware, capture browser fingerprints and other data, providing exclusive access to stolen information. Despite a law enforcement crackdown in April 2023, Genesis Market remains partially operational.

2easy
2easy, established in 2018, offers a user-friendly, automated interface for purchasing logs, often at lower prices than other markets. It primarily sells logs from infostealers like RedLine, Raccoon, Vidar, and AZORult.

Telegram
Telegram has emerged as a popular platform among cybercriminals for selling illicit goods, including infostealers. Its privacy features and encryption make it attractive, despite limitations such as the absence of advanced search and reputation-building tools found on traditional forums.

Variants
Infostealers, starting with the ZeuS trojan in 2006, have evolved significantly since the leak of its source code in 2011. This led to the creation of various sophisticated variants, including tailored ones like LokiBot for Android and Ducktail for Facebook business accounts. Some, like BHUNT, focus on stealing cryptocurrency, while others, like IRON TILDEN, are used by state-sponsored groups for espionage. Researchers have studied the infostealers in the subsections on the Russian Market marketplace in 2022, though details on targeted browser extensions and applications are often only found in the infostealer configurations, which can change frequently.

Redline
RedLine is a popular Windows infostealer that emerged in March 2020 and is a top seller on the Russian Market. It is sold as a standalone product or through a subscription model. This infostealer targets web browsers to steal information such as saved credentials, credit card details, and cryptocurrency wallets. It steals FTP client data, instant messaging content, VPN service data, and gaming client information. It also gathers system environment details to aid in secondary attacks like privilege escalation.

RedLine is distributed through cracked games, applications, phishing campaigns, and malicious ads. It decodes data upon execution, requests configuration data from a command and control (C2) server, collects information from the compromised system, and transmits it back to the C2 server. Once connected to its command and control server, RedLine can also execute remote functions like file downloads, running executable files, executing commands via CMD.exe, and more.

Raccoon
Raccoon, initially seen in 2019, operates as a malware-as-a-service model, primarily distributed through phishing campaigns and exploit kits. After a temporary shutdown following Russian invasion of Ukraine in March 2022, possibly due to a lead developer's death in the Russia-Ukraine conflict, a new version called Raccoon V2 was released in July 2022. This infostealer continuously evolves to evade detection, stealing various data types and delivering secondary payloads like SystemBC (which functions as bot, backdoor, proxy, and RAT).

RaccoonV2 retrieves its configuration file from a hardcoded C2 server and exfiltrates stolen data via HTTP POST requests. Unlike traditional practices, this version sends data immediately upon theft, prioritizing speed over stealth, without employing anti-analysis or obfuscation techniques.

Raccoon targets crypto wallets, browser data, passwords, credit cards, and more. It spreads through phishing campaigns and exploit kits.

Vidar
Vidar, first observed in 2018–2019, functions as an infostealer and ransomware deployment tool. It is sold on underground forums and Telegram channels, offering an admin panel for configuration and monitoring. Vidar steals system data, browser artifacts, cryptocurrency details, banking info, login credentials, and IP addresses. It can deliver secondary payloads like SystemBC and uses various methods for distribution, including phishing emails and pirated software.

Vidar has maintained its popularity due to user-friendly features, continuous updates, and available support. It offers customization options for threat actors to select the specific data they want to pilfer.

Taurus
Taurus, known as the Taurus Project, was active from the second quarter of 2020 until late 2021. This infostealer, primarily advertised on Russian-language forums, targets VPN credentials, social media details, cryptocurrency credentials, and more. Taurus was distributed through spam emails with malicious attachments, leading to the exfiltration of stolen data to a C2 server.

Rhadamanthys
Rhadamanthys, observed in 2022, quickly gained popularity on underground forums for its user-friendly features. This infostealer operates on a malware-as-a-service model and targets a wide range of applications and user data. Rhadamanthys is written in C++ and employs various evasion techniques to avoid detection. It decodes C2 URLs, disguises configuration files, and encrypts post-infection traffic using the WebSocket protocol.

State-sponsored infostealers
State-sponsored threat groups use infostealers for cyberespionage operations, as seen in instances such as Russian actors deploying the Graphiron infostealer during the conflict in Ukraine. This malware is capable of stealing sensitive data like system information, account credentials, and private keys. Chinese state-sponsored groups have also been observed using infostealers, such as the Infostealer.Logdatter, in espionage campaigns targeting government and public entities in Asia. These infostealers can log keystrokes, capture screenshots, steal data, download files, inject code, and access SQL databases, as demonstrated by the BRONZE ATLAS threat group in a 2022 campaign.

Ecosystem
The success of infostealers, like other cybercriminal activities, depends on a variety of skilled individuals such as developers, initial access brokers, and customers. The growth of Malware as a Service (MaaS) has made it easier for people to get involved in cybercrime and has encouraged developers to enhance their products to attract more customers on underground platforms.

Developer
Developers in the cybercriminal ecosystem are responsible for creating and maintaining malicious code that is sold on underground forums, primarily to initial access brokers (IABs). They often operate under the Malware as a Service (MaaS) business model, allowing them to focus on enhancing malware features, gathering user feedback, and continuously improving their products. Feedback from customers on forums plays a crucial role in shaping the reputation and popularity of the malware.

Dropper implant developer/installs seller
The Dropper Implant Developer/Installs Seller is responsible for creating malware droppers that serve as a crucial component in the cybercrime industry. These droppers are designed to evade antivirus software and provide a means for other malicious actors to download their harmful code onto targeted devices. The developer may either use the dropper themselves or sell it to others through darknet forums. Additionally, there are services like InstallsKey that sell infected computers with droppers installed, enabling buyers to download their own malware.

Infostealer malware developer
The Infostealer Malware Developer plays a central role in the cybercrime ecosystem by creating malware that extracts valuable information from infected devices and transmits it to attackers. These malware programs, often distributed through droppers, come in various forms such as RedLine, META Stealer, LummaC2, and others. Subscription prices for these infostealers typically range from dozens to hundreds of dollars per month. Buyerss receive builder applications to customize their malware, allowing them to bypass common antivirus solutions and retrieve victim data through web panels or messaging platforms like Telegram.

Crypter
Crypter developers specialize in creating tools that pack malicious executable files in a way that evades detection by antivirus software. By using crypters, cybercriminals can enhance the stealth capabilities of their malware, enabling them to achieve more objectives without being detected. Crypters provide an additional layer of protection on top of existing AV bypassing techniques found in droppers and infostealers, allowing attackers to operate more covertly.

Traffer teams
Traffer teams are groups of individuals who collaborate to spread infostealers on a large scale. They operate through forums and Telegram channels, offering a complete package for infecting unsuspecting internet users in exchange for a percentage of the stolen cryptocurrency. They provide tools like undetectable stealers and guides on creating fake content, such as YouTube tutorials, for distribution.

Traffer team managers oversee these operations, combining crypter/infostealer malware with friendly Telegram bots to recruit and manage workers. Success in this role requires good communication skills and the ability to attract workers by offering competitive terms. Convincing enough people to join can lead to significant returnss.

Traffer team spreaders are entry-level positions that involve creating fake content like YouTube tutorials or scam pages to distribute the provided infostealer malware.

Log cloud operator
The Log Cloud Operator obtains logs from public sources, rebrands them as unique and private, and sells them for profit. Log Cloud offers a service providing daily fresh logs for a fee through platforms like Telegram or Mega.nz. Infostealer logs are collected from various sources and may contain valuable information for those who know what to look for. The focus is on quantity rather than quality, with some log clouds amassing terabytes of data over time.

Automated market operator
Automated Market Operators are online platforms where threat actors can purchase unique and private logs, particularly focusing on infostealer logs. These logs provide unauthorized access to various systems and data. The Russian Market is highlighted as the largest darknet marketplace for infostealer logs, following the downfall of other major marketplaces like Genesis Market and 2Easy. As of July, 2024, the Russian Market had over 7 million records available for sale, offering threat actors a range of accesses for a price of $10 or less.

Initial access brokers
Initial Access Brokers (IABs) are individuals or groups who lease tools from MaaS operators to deploy infostealers through phishing or malicious ad campaigns. These malicious programs are designed to steal data from compromised systems and transmit it to a Command and Control (C2) server. The stolen data, which includes sensitive information like credentials for various services, is then sold to threat actors for illicit activities.

Initial Access Brokers may also be individuals or groups that specialize in obtaining and selling valuable information found within vast amounts of data stored in log clouds or automated marketplaces. They search for valid credentials acquired through infostealer infections, allowing them to gain entry into compromised networks. Subsequently, they offer these compromised access points for sale to interested parties, including threat actors such as ransomware gangs, in exchange for financial gain.

Specialist log parser
Specialist log parsers play a crucial role in the cybercriminal ecosystem by offering tools to interpret and extract valuable information from raw infostealer logs. Marketplaces like Genesis Market provide built-in parsing features, while others sell raw logs that require additional processing. Parsing these logs can be complex due to their varied formats and extensive data, leading to a secondary market for parser tools tailored to specific customer needs, whether they are deploying infostealers or analyzing bulk log data.

URL:Log:Pass Resellers are entities that specialize in selling .txt files containing URLs, login credentials, and passwords extracted from compressed log data. This segment of the market emerged to cater to individuals seeking specific login information without the need to sift through extensive log packages. By offering condensed files in a more manageable gigabyte size, users can easily search for desired credentials using common tools like grep. While similar to log cloud operators in their operations, URL:Log:Pass resellers handle and store less data, making the process more streamlined. Other services, including websites and Telegram bots, facilitate access to these files, enabling users to search for login details without requiring advanced technical knowledge or even familiarity with tools like grep.

Customer
Customers of stolen data, such as financially motivated cybercriminals and ransomware groups, purchase information obtained by infostealers for a variety of purposes. This data can range from cryptocurrency wallet credentials to corporate account logins, which are used for fraudulent transactions or gaining unauthorized access to enterprises. The demand for infostealer data has surged with the rise of ransomware-as-a-service (RaaS) models.

Script-kiddie
Script-kiddies, often bored youth seeking quick cash or chaos online, leverage publicly available tools like infostealers to cause damage without needing programming skills. They can easily access stolen data, spread malware, and check credentials with pre-made tools. An example is the Lapsus$ hacker group, composed of teenagers, who stole 780GB of data from Electronic Arts and hacked Uber using infostealer infections.

Victim
Victims of cyberattacks often find themselves in situations where they feel compelled to pay ransom to criminal groups. This payment is typically made to avoid the exposure of sensitive data or to regain access to vital information necessary for business operations. Unfortunately, these actions inadvertently support the ongoing criminal economic ecosystem.

From July to October 2022, India, Indonesia, and Brazil were the top three countries with the highest number of infostealer victims on the Russian Market. The high number of victims in these countries can be attributed to their large populations and relatively low levels of cybersecurity awareness. During this period, the number of infostealer victims increased by 33% in India, 30% in Indonesia, and 40% in Brazil. The remaining seven countries in the top 10 list were Pakistan, Vietnam, Egypt, Thailand, Philippines, Turkey, and the United States.