In recent years, there has been a remarkablesurge in the utilization of data encryption technologies. These encryptionmethods offer crucial safeguards against a myriad of cyber threats, rangingfrom sophisticated data breaches to targeted phishing attacks. However, it'sessential to acknowledge that while encryption significantly fortifies dataprotection, it's not impervious to breaches. One particularly insidious threatthat persists despite encryption measures is data exfiltration throughmalicious insiders.

Despite therobust defense mechanisms implemented by organizations, malicious insiderscontinue to pose a significant risk. These individuals, whether disgruntledemployees or compromised accounts, have intimate knowledge of theorganization's systems and can exploit vulnerabilities to access and exfiltratesensitive data. Unlike external threats, malicious insiders often bypasstraditional security measures, making them a formidable adversary.

Ingress and Consequences

Infostealersemploy various techniques to target a wide audience rather than specificindividuals. The three primary infection methods include phishing, malvertising(via malicious ads on platforms like Google and Facebook), and impersonatingillegal software such as cracked programs and game cheats.

Once activated, thesemalwares typically target login and session data for various applicationswithout requiring elevated privileges. The stolen data is then transmitted to acommand-and-control server for threat actors to exploit, often being sold ondark web forums.

The impacts ofinfostealers can be severe, with attackers often using stolen credentials formore targeted attacks, including supply chain attacks. Such breaches candisrupt operations across multiple organizations. Stolen cookies can also serveas initial access points for ransomware attacks, leading to data leaks andnetwork encryption, halting operations.

Moreover,infostealers facilitate theft from payment systems or crypto applications, andthreat actors may exploit reputable social media accounts for crypto scams.These multifaceted impacts underscore the urgent need for robust cybersecuritymeasures to mitigate such threats effectively.

Infostealer Remote Sensing

Unlike ransomwaregroups, infostealers typically do not openly advertise their victim count onleak sites. While ransomware groups often utilize leak sites to showcase theirvictims, infostealers rely on stolen logs sold on various forums, which poseschallenges in accurately assessing victim numbers and attribution.

Interestingly,high detection rates can trigger a cat-and-mouse game between malwaredevelopers and security vendors. As detection rates rise, developers adapttheir malware to evade detection, prompting vendors to update their detectionlogic. Thus, the number of vendors detecting a particular malware fluctuatesover time, but the average across different malware families remains relativelyconsistent

To gauge thesuccess of infostealers, we examined multiple telemetry sources, includingVirusTotal, Any.Run, and malware bazaar.

Analyzing the topfive infostealers by the number of uploads during February 2024, we obtainedthe following insights:

As we can see, the results are only consistent for the first three. The top are RisePro, RedLine and then StealC. LummaC2 and Vidar both appear in fourth and fifth places but also have a column where they don’t make it into the top five at all (in both cases, they’re sixth but relatively far behind). Raccoon ranks fourth on VirusTotal but doesn’t appear in the other top five sets. In MalwareBazaar, there were a mere two uploads of Raccoon in the entire month. Finally, PureLogs also only appears once in fifth place in the MalwareBazaar set.

Infostealer Techniques

Infostealermalware extends its reach beyond cookie theft to target several criticalbrowser files, each containing valuable data. The "Local State" fileholds decryption keys necessary to access encrypted browsing data, bypassingWindows' DPAPI protection. Similarly, the "Login Data" file storesusernames and passwords, providing access where multi-factor authentication isabsent. Another key target is the "Web Data" file, housing form datapotentially including passwords and credit card information.

Beyondbrowsers, infostealers also target desktop applications like Telegram, Discord,and Steam. Additionally, they may be configured to pilfer sensitive documentsfrom any folder on victim machines. This comprehensive approach underscores thebreadth of data at risk and highlights the importance of robust cybersecuritymeasures.

Infostealer Examples

Let's delve intosome examples of infostealer malware, focusing on RisePro, StealC, and LummaC2.

RisePro:

RisePro standsout as one of the most prolific infostealers, appearing significantly morecommon than its counterparts, barring RedLine. However, despite its prevalence,RisePro exhibits some lapses in covering its tracks. While it typically followsthe common practice of malware cleaning up after itself by deleting createdfiles, it overlooks certain files, such as "passwords.txt," saved ina subfolder of the temp directory.

This oversightprovides researchers and incident responders with valuable insights into themalware's operations, facilitating more effective mitigation strategies.

Leaving behindfiles like "passwords.txt" isn't just a breach of malware etiquette;it's a significant security risk. Upon inspection, it's evident that we'redealing with RisePro Stealer, thanks to its conspicuous banner. This oversightnot only alerts researchers and incident responders to the presence of RiseProbut also exposes the malware to detection by many EDR-type solutions. Suchblatant indicators make it easier to identify and mitigate RisePro infections,highlighting the importance of thorough malware analysis in cybersecurityefforts.

Steal CMalware

StealC emerges asanother notable infostealer with a solid track record, boasting good coverageamong researchers. One intriguing aspect of StealC is its approach to thwartingconfiguration extraction, a common tactic employed by threat actors to impedeanalysis.

While somemalware, particularly in the ransomware realm, requires specific command linearguments for configuration extraction, infostealers like StealC face achallenge due to their need for automatic execution. StealC introduces a uniquesolution by storing part of its configuration server-side, specifically thetargeted application list. Upon execution, the malware sends a request toretrieve this portion of the configuration from the server.

While this methodoffers a partial safeguard against configuration extraction, it's notfoolproof, as the malware still requires the C2 address stored within itself toinitiate the request. Nonetheless, StealC's innovative approach underscores theevolving tactics employed by threat actors to evade detection and analysis.

It’s unclear ifthe reasoning behind this feature is to avoid config extractors or if thepurpose was to allow for more flexibility when modifying targets for themalware. For instance, if a new browser comes out, other stealers will need tocompile a new executable and distribute it to new victims. At the same time,StealC might be able to modify the config on the server and immediately affectall victims that have been recently infected with their malware.

Lumma Stealer C2

While not asprevalent as other infostealers, LummaC2 warrants attention due to itsinnovative and adaptable nature. Despite not ranking in the top five onVirusTotal, LummaC2 demonstrates a penchant for creativity in its malwaretactics.

Recent examplesinclude using trigonometry as an anti-sandbox measure and being the first toexploit the MultiLogin issue in Google Chrome for cookie retrieval.Additionally, their inventive distribution method via Reddit, infectingcomputers through "chargeable adult tools," showcases theirflexibility and resourcefulness.

Reminiscent ofearly LockBit ransomware syndicates, LummaC2's smaller size doesn't hinder itspotential for growth. With their innovative streak, they could emulateLockBit's rise to dominance in the ransomware landscape. As such, monitoringLummaC2's activities may offer insights into the future of infostealer groups,potentially positioning them as the most successful in the field.

Mitigations

Mitigatinginfostealers involves a multi-faceted approach that encompasses both technicalmeasures and user education. Here are some strategies:

1.Use Antivirus and Anti-Malware Software: Employ reputable antivirus andanti-malware software that can detect and remove infostealers. Keep theseprograms updated to ensure they can recognize the latest threats.

2.Regular Software Updates: Ensure all software, including operatingsystems, browsers, and applications, are up-to-date with the latest securitypatches. Many infostealers exploit vulnerabilities in outdated software.

3.Firewalls and Intrusion Detection Systems (IDS): Use firewalls and IDSto monitor and filter network traffic, blocking unauthorized access andpotentially malicious activities.

4.Secure Configuration: Configure systems securely, following bestpractices such as least privilege access, strong password policies, anddisabling unnecessary services.

5.Email Security Measures: Implement email security measures such as spamfilters, sender authentication (e.g., SPF, DKIM), and email encryption toprevent phishing attacks, which are often used to distribute infostealers.

6.Web Filtering: Employ web filtering tools to block access to knownmalicious websites and URLs, reducing the risk of users inadvertentlydownloading infostealers.

7.User Education and Awareness: Educate users about the risks ofdownloading files or clicking on links from unknown or suspicious sources.Encourage them to be vigilant and report any suspicious activity.

8.Behavioral Analysis: Use endpoint detection and response (EDR) solutionsthat employ behavioral analysis to detect abnormal activities indicative ofinfostealer behavior, such as keystroke logging or data exfiltration.

9.Data Encryption: Encrypt sensitive data both at rest and in transit tomake it more difficult for infostealers to access and exfiltrate.

10.Incident Response Plan: Develop and regularly update an incidentresponse plan that outlines procedures for detecting, containing, andmitigating infostealer attacks.

11.Continuous Monitoring and Auditing: Implement continuous monitoring andauditing of systems and networks to detect any unauthorized access or unusualactivities that may indicate an infostealer infection.

12.Backup and Recovery: Maintain regular backups of critical data and testthe restoration process to ensure data can be recovered in the event of asuccessful infostealer attack.

Bycombining these technical measures with user education and proactivemonitoring, organizations can significantly reduce the risk posed byinfostealers.