Glossary
InfoStealers
An InfoStealer is a type of malware that gathers information from the computer it resides in. The InfoStealer transmits this stolen data to the attacker.
InfoStealer Malware often remains undetected until some time after the data stolen by them has been exploited or sold. As far as safety on an individual and corporate level is concerned, these malicious programs can steal data later used as part of a larger scale incident. InfoStealers are among the fastest growing cyber threats, ranked X by Y. Cybercriminals use them to steal sensitive data, such as passwords and payment details, until they are uncovered.
What are InfoStealers?
InfoStealers, or data stealers are a class of malware created to secretly infiltrate systems and exfiltrate sensitive information without detection. These programs can be used to target a wide range of valuable data which can be resold on the deep & dark web.
The danger of an InfoStealer lies in its ability to operate silently. Once inside, it can swipe large volumes of data in a very short time.
Attackers can use this information to commit identity theft, take over an account, or sell it on online marketplaces. In the cybercrime economy, InfoStealers are invaluable because they exfiltrate important data quickly and efficiently. For cybercriminals, it’s an easy and profitable way to access the data they need.
Typical behavior of InfoStealers
InfoStealers can use various methods to acquire data. Some common methods include hooking browsers or other applications to steal typed credentials, using web injection scripts to add extra fields to web forms and submit information to a server controlled by the attacker, form grabbing to steal content from specific open windows, keylogging to record keystrokes, and stealing files and credentials from the system.
As a type of Trojan (horse), they can be deployed as malicious attachments sent by spam campaigns, websites infected through exploit kits, and malvertising.
An InfoStealer usually targets sensitive data like credentials, credit card details, personally identifiable information, proprietary information, and network credentials, as well as system information and other valuable data, on a corporate networks or endpointscomputer to exploit for financial gain or further malicious activities (e.g. credential dumping).
Some are designed to self-destruct upon completion or after a specified timeframe. This defense evasion tactic makes detection and remediation more challenging, as there may be no immediate evidence of a compromise until the stolen data is exploited or sold. Advanced Persistent Threat (APT) groups like Dragonfly use Trojan.Karagany, a self-deleting InfoSetaler in a defense evasion tactic called indicator removal.
Developers update InfoStealers regularly, adding new features to help them bypass security systems like firewalls, antivirus programs, and even advanced behavioral analysis tools.
Common types of InfoStealers
There are many different types of InfoStealers, each targeting specific data. Here’s a breakdown of some of the most notorious ones and an example of that type of InfoStealer:
- Downloaders/Trojan Droppers
- Zeus: A notorious Trojan dropper that downloads and installs various malware components, including InfoStealers, onto infected systems.
- Trojans
- Agent Tesla: A sophisticated Trojan that can steal a wide range of sensitive data, including passwords, credit card information, and screenshots.
- Botnets
- Mirai: A notorious botnet that primarily targets IoT devices but can also be used to launch DDoS attacks and distribute InfoStealer malware.
- Keyloggers
- KeyStrike: A keylogger that records every keystroke on an infected system, allowing attackers to capture passwords, credit card numbers, and other sensitive information.
Popular InfoStealer families include the following:
Tinba:
- A sophisticated banking Trojan known for its advanced evasion techniques and ability to steal sensitive financial information. It often targets online banking and payment systems.
CoreBot:
- A modular botnet that can be used to distribute various types of malware, including InfoStealers. It’s known for its adaptability and ability to evade detection.
Neutrino Botnet:
- A large-scale botnet primarily used for DDoS attacks but can also be used to distribute InfoStealer malware and other malicious payloads. It’s known for its resilience and ability to recruit new devices.
While the techniques might vary between these different types of InfoStealer malware, the goal is always the same: to collect and exploit valuable information as quickly as possible.
InfoStealer distribution methods
InfoStealers use several diverse methods to access a victim’s device, but the goal is always the same – to reach as many systems as possible. Here are the most common ways InfoStealers spread:
- Phishing emails:
Phishing emails are the go-to method for cybercriminals. Phishing emails trick users into clicking on a malicious link or downloading an infected attachment, which then installs the InfoStealer onto their system.
- Infected websites:
Sometimes attackers infect legitimate websites with malicious code, or they create fake sites designed to download InfoStealer malware onto a visitor’s device. Often, these sites are promoted through social media posts or malicious ads.
- Malvertising:
Malicious ads placed on otherwise legitimate websites can trigger downloads of InfoStealers when clicked.
- Exploit kits:
These are tools that attackers use to find vulnerabilities in a system. Once a weakness is identified, the exploit kit injects the InfoStealer into the victim’s device.
InfoStealers and the dark web
InfoStealers and the dark web share a symbiotic relationship. The dark web provides a discreet platform for the distribution and sale of these malicious programs, while InfoStealers enable cybercriminals to collect valuable data that can be traded on these underground marketplaces.
Threat actors can buy malware and learn how to deploy it on dark web marketplaces. They can also sell sensitive corporate data on these marketplaces. This data can be used for credential stuffing attacks, phishing, and social engineering attacks to gain access to your network.
By understanding this connection, you can better appreciate the role the dark web plays in the proliferation and impact of InfoStealer attacks.
Defending against InfoStealers
Protecting yourself and your business from InfoStealers requires a combination of good practices and security measures. Here are some steps you can take to reduce the risk:
- Be cautious with emails:
- Phishing is one of the main ways InfoStealers spread. Businesses and individuals need to be aware of phishing tactics, and email filters can help block many of these messages before they even hit your inbox.
- Keep software up to date:
- Make sure you’re regularly updating your operating systems and software to patch any vulnerabilities that InfoStealers might exploit.
- Use multi-factor authentication (MFA):
- Even if an attacker gets hold of your login credentials, MFA adds an extra step to the login process, like a text message code, making it harder for them to access your accounts.
- Invest in endpoint security:
- Advanced endpoint security tools can detect and stop data stealers before they have a chance to do damage. Many of these tools use behavioral analytics to spot unusual activity on your system.
- Backup your data:
- Regularly backing up important data ensures that if your system is compromised, you can restore what’s been lost.
By implementing these strategies, you can protect your data and reduce your vulnerability to InfoStealers.
InfoStealers pose a serious and growing threat. Due to their potential to infiltrate a system, unseen, steal sensitive data, and disappear again, they are a favorite tool among cybercriminals.
Understanding how they work, how they spread, and how to defend against them is crucial for businesses and individuals alike.
Webz.io is a trusted resource for monitoring these kinds of cyber threats. By keeping an eye on the dark web and other bad actor networks, Lunar can detect any organization’s credentials as soon as they’re compromised, providing each business with a way to stay one step ahead. Want to learn more about how Lunar can protect your business from InfoStealers and other types of threats?
« Back to Glossary Home