Among the medley of malicious software that threat actors use in cyberattacks, infostealers regularly feature in reports of stolen sensitive information from compromised systems. The growing cyber threat of infostealers reflects the value that hackers place on obtaining different types of data. This article takes a look at what infostealers are, how they work, recent incidents involving them and mitigation tips.
Infostealers are a type of malware that stealthily harvests a wide range of sensitive information from infected devices. This data includes the usual targets of data-driven cybercrime, like personal details, financial information, login credentials, etc.
Often, the stolen data gets used for opportunistic financial gain, but other uses include identity theft, progressing to ransomware attacks, accessing and shutting down important systems, and conducting espionage. A surge in infostealer use saw incidents involving them doubling between 2022 and 2023.
The first challenge attackers face in using infostealers is distributing them to unsuspecting victims. Well-crafted phishing emails with malicious attachments are a popular method of delivery. It’s common to see hackers deploying infostealers by exploiting software or online services vulnerabilities. Other ways to distribute infostealers include fake software updates, malicious advertisements on legitimate websites, or fake applications.
Once installed on devices by unsuspecting users, this type of malware can perform actions like evading detection by antivirus software (one notable recent infostealer family uses trigonometry to accomplish this) and transferring stolen data to a command and control (C&C) server operated by the attackers.
To actually gather useful data from targeted systems, infostealers might employ various collection methods including logging keystrokes, taking screenshots of infected devices, taking saved autofill data from web browsers, or stealing cookies and session tokens. Often, the stolen information appears on the dark web as logs available for sale.
There are plenty of high-profile incidents to choose from in recent times involving infostealers; here’s just a sample of those attacks.
A recent Nuspire threat brief highlighted the use of infostealers abusing an undocumented Google OAuth endpoint to retrieve user session cookies and logins. Interestingly, the infostealer families in question could restore expired authentication cookies to facilitate unauthorized access to Google accounts, long after users had logged out.
News emerged in late 2023 about an infostealer targeting macOS through fake browser updates. The threat actors use malicious websites and fake Safari update prompts to entice people into downloading the Atomic Stealer infostealer program. Atomic Stealer can exfiltrate data like passwords, cookies, credit cards stored in browsers, and local files.
A campaign targeting Windows devices used the tactic of typosquatting to get people to visit malicious websites and download what appears to be an open-source password manager. In fact, the downloaded file contains the ZenRAT infostealer program. ZenRAT is a basic infostealer that collects browser data and stored user credentials. The typosquatting tactic involved creating a domain very similar to that of the legitimate password manager tool Bitwarden (the fake site was bitwariden.com rather than bitwarden.com).
While attacks involving infostealers often target individuals during their everyday browsing activities, they don’t just happen at the individual level. Attacks on companies might involve more calculated efforts (e.g., targeting specific employees with access to valuable data) and more advanced malware families. Here are some general tips and best practices to mitigate infostealer risks.
Nuspire offers advanced endpoint detection and response (EDR) services to help safeguard every device on your network against threats like infostealers. Our team of experts offers threat hunting on endpoints, as well as centralized monitoring and management.