What Are Infostealers and Why Should My Business Be Concerned?

In June this year, a mass extortion campaign against customers of data cloud specialist Snowflake was discovered. According to reports, victims were threatened with data exposure if they didn’t pay a ransom of up to $5m. The threat actors managed to compromise over 500 million Ticketmaster records and 30 million belonging to Santander customers. Many more corporate victims are still to emerge from the 160+ thought to have been caught in the data-stealing campaign.

Threat intelligence vendor Mandiant, which is investigating, claims the bad actors caused this mayhem using disarmingly simple tactics. They used customer Snowflake logins obtained by infostealer malware and then took advantage of a lack of multifactor authentication (MFA) to walk through an open door. It’s reason enough to ensure that your cyber defences can withstand an info-stealing attack.

What Are Infostealers?

Infostealers are an increasingly prevalent class of malware designed, as the name suggests, to covertly extract sensitive information from a victim’s computer or mobile device. This data will either be used directly by the same threat actors or, more likely, sold on the cybercrime underground for use in follow-on identity fraud and cyber-attacks like the campaign against Snowflake customers.

The malware might look for information such as:

• Files stored on the endpoint machine/device
• Data streams from instant messaging apps like Telegram
• Assets contained in crypto wallets, such as NFTs and coins
• Credentials stored in mail or FTP clients, gaming platforms or VPN profiles
• Information stored in the browser, which could include passwords and credentials from multiple sites, stored credit cards, authentication/session cookies, auto-filled logins and much more

Capture of session cookies could enable threat actors to bypass MFA, making them a potent threat. According to Trend Micro, information stored in a device browser “is by far the preferred target for data stealers”. Once its work is done, the infostealer collects all its stolen information and places it into an archive called a log – which could sell for over $100 depending on the quality and quantity of data it contains.

Infostealers have been circulating on the cybercrime underground since around 2011. Over the past 15 or so years, malware developers have continued to refine and customise their offerings to target various platforms – from Android devices to Windows PCs and Facebook business accounts. There are several ways they could be delivered, including phishing or smishing (SMS phishing), drive-by-downloads from infected websites, cracked games, hidden in legitimate-looking applications, including fake meeting software, Google Ads, and even YouTube video descriptions.

They pose a growing risk to organisations in post-pandemic hybrid working environments, where employees may visit risky sites on their personal devices, which then become infected with infostealers. Because of BYOD policies, such devices may also have access to corporate resources and data, putting these at risk of theft. Over half (51%) of IT leaders say they have seen evidence of compromised personal devices accessing sensitive corporate data.

Evading Capture

Today, budding cybercriminals and fraudsters have a wealth of options to choose from on the cybercrime underground markets. They include popular infostealers like RedLine, Raccoon, Vidar and Taurus. A malware-as-a-service (MaaS) model has helped to democratise access to such tools to a much wider criminal user base. And innovation efforts continue. Some marketplaces offer log parsing services to help threat actors extract data from raw logs for use or resale.

Infostealer developers also expend plenty of effort to ensure their malware remains hidden from security tools. Some, like the Rhadamanthys variant, operate in system memory to evade detection. Others, like Raccoon, feature changes to UserAgents and mutexes in a bid to bypass indicator-based detection, according to one report. A new version of the popular Lumma variant emerged last year with sophisticated anti-sandbox capabilities. The men and women behind these tools are also going to greater lengths to stay hidden – advertising their wares on Telegram, Mastadon, and other sites rather than through centralised criminal marketplaces that are prone to law enforcement monitoring and disruption.

How to Mitigate the Threat from Infostealers

What is in no doubt is the potentially serious threat they pose to corporate cybersecurity. Aside from the Snowflake account breaches, an infostealer unwittingly downloaded to an employee’s laptop was responsible for a major data breach at continuous integration and delivery platform CircleCI last year. One vendor claims that 10 million devices encountered info-stealing malware in 2023, a sevenfold increase since 2020.

The good news is that tried-and-tested best practices can keep infostealers off corporate systems, according to Trend Micro UK & Ireland technical director, Bharat Mistry.

“Organisations can mitigate the threat from infostealers by implementing preventive measures such as employee training, strong authentication, and endpoint protection,” he tells ISMS.online. “Regular software updates and network security are also crucial. Detection strategies include advanced threat detection, regular security audits and continuous monitoring.”

However, IT security leaders can also mitigate the risk from infostealers through compliance with best practice standards.

“Compliance with standards like ISO 27001 significantly enhances cybersecurity efforts by offering a structured approach to risk management and implementing comprehensive security controls, which are essential for robust protection,” Mistry argues.

“Regular audits ensure continuous vigilance against emerging threats. Employee training and awareness are vital, transforming your staff into the first line of defence. Additionally, the standard’s stringent incident management requirements guarantee that any breaches are swiftly and effectively addressed.”

When matched against potentially life-threatening ransomware attacks, infostealers may not sound like a significant cybersecurity risk. However, as the Snowflake incident highlights,  they play an increasingly important role in the cybercrime ecosystem. As an enabler of credential theft and MFA bypass, they could be the first stage in a devastating data breach and extortion attack. It’s time to dust down those cybersecurity best practices.