Full Report
Inexpensive information-stealing malware surged in 2024, infecting 23 million hosts, according to Flashpoint. The post Infostealers fueled cyberattacks and snagged 2.1B credentials last year appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Information Stealers (Infostealers)
## Overview
Information Stealers (Infostealers) are malware designed to harvest sensitive data from compromised systems, including credentials, browser data, system information, and cryptocurrency wallet details. They are increasingly used as initial access vectors for ransomware campaigns, account takeovers, and broader data breaches.
## Technical Details
- Type: Malware family (General category)
- Platform: Primarily Microsoft Windows (majority of infections tracked); some variants target macOS.
- Capabilities: Steal system information, saved credit cards, cryptocurrency wallets, autofill information, account credentials, active session cookies from browsers. They often compress harvested data into archives before exfiltration.
- First Seen: Not specified in the text, but usage surged significantly in 2024.
## MITRE ATT&CK Mapping
This summary maps the general behavior associated with Infostealers, which often overlap across multiple stages of an attack.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1189 - Drive-by Compromise (Implied via illegitimate software downloads)
- **TA0009 - Collection**
- T1005 - Data from Local System
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0005 - Privilege Escalation** (Implied through use of stolen credentials)
## Functionality
### Core Capabilities
- Harvesting and consolidation of various types of sensitive data from target environments (credentials, browser data, system info).
- Compressing cataloged data (including file directory listings and registry keys) into a single archive.
- Exfiltration of the compressed archive to a remote server controlled by the threat actor.
- Low cost and ease of use, allowing threat actors with minimal technical skill to cause significant compromise at scale.
### Advanced Features
- Designed to circumvent specific security controls and avoid detection.
- Capable of acting as an initial access vector for deployment of secondary malware, notably ransomware.
- Stolen credentials enable lateral movement and privilege escalation within victim networks.
## Indicators of Compromise
- File Hashes: Not specified.
- File Names: Not specified (depends on the specific strain). Files are typically compressed archives containing stolen data.
- Registry Keys: Registry keys are often cataloged for exfiltration (specific keys not detailed).
- Network Indicators: Data is sent to a remote server (C2) for exfiltration (Specific domains/IPs not provided).
- Behavioral Indicators: Installation via phishing or illegitimate software downloads; discovery/cataloging of files and registry entries; creation of compressed archives for exfiltration.
## Associated Threat Actors
Threat actors utilizing various strains of infostealers, often purchasing them on underground forums. Examples of threat actors leveraging credentials stolen by these tools were implicated in the mass compromise of Snowflake customer environments.
## Detection Methods
- Signature-based detection: (Implied, specific signatures not provided).
- Behavioral detection: Monitoring for processes collecting large amounts of browser, system, or credential data; monitoring for the creation of unusual compressed archives on user endpoints; monitoring for scheduled beaconing to known C2 infrastructures associated with stealer exfiltration uploads.
- YARA rules: Not specified.
## Mitigation Strategies
- Strong authentication mechanisms, especially Multi-Factor Authentication (MFA), to mitigate risks from stolen credentials.
- User training against phishing and warnings regarding illegitimate software downloads.
- Network segmentation to limit lateral movement if initial access is gained via an infostealer compromise.
- Endpoint Detection and Response (EDR) tools configured to monitor for suspicious data collection and archive creation behavior common to infostealers.
## Related Tools/Techniques
**Specific Infostealer Strains Mentioned:**
1. **Redline:** Infected 9.9 million hosts (43% of all observed infections in 2024).
2. **RisePro**
3. **SteaC**
4. **Lumma Stealer**
5. **Meta Stealer**
6. **Vidar**
7. **Racoon**
These tools were specifically linked to credentials used in the April 2024 Snowflake environment breaches affecting enterprises like AT&T and Ticketmaster.