Join our webinar hosted by Cyberint's CEO

Research

Info Stealers Ecosystem Introduction

Introduction

Info Stealers are one of the most popular malware types being used in the wild today. This type of threat is focusing mostly on personal information stored in the victim’s machine such as:

  • Stored sessions and cookies
  • Saved passwords
  • Cryptocurrency wallets
  • Credit cards
  • Configured files types (pictures, documents, etc.)
  • FTP connections
  • Direct messaging applications sessions (Telegram, WhatsApp, etc.)
  • OS information
  • Machine credentials
  • Geolocation
  • Screenshots

Given that the info stealer industry is on a major rise since 2020, new threat actors and products are constantly introduced while adding new and improved features such as using the info stealer as a loader or a Remote Access Tool (RAT), improving password’s reliability with support for 2FA, undetected communications with C2s and so on.

Example of information collected from an infected machine by an infostealer malware
Example of information collected from an infected machine by an infostealer malware

Info Stealers Developers’ Business Model

The business model of most info stealers is Malware-as-a-Service (MaaS), which includes C2 infrastructure, a web panel, or a dedicated Telegram channel, as well as cryptors, which is a piece of software offering methods for packing and encrypting the stealer’s file in order to evade the basic protections layers such as Windows Defender, etc.

Popular info stealers’ prices vary between $100 and $300, paid with cryptocurrency.
A threat of this nature is so popular given the fact that even an intermediate or amateur threat actor can purchase the product, with an additional cost for delivery, and can manage their own campaign successfully.

Advertisement for the Raccoon Info Stealer - promoting its capabilities and purchase methods
Advertisement for the Raccoon Info Stealer – promoting its capabilities and purchase methods

Credential Sellers

In most cases, info stealers’ campaigners use the information they obtain from their info stealers to resell later in dedicated forums and on Telegram channels.

Newcomers often advertise their findings and sell their logs in underground forums such as Breached.co, XSS, Genesis, Russian Market, 2easy, etc. (Figure 2)

Infected machine credentials offered for sale via the Russian Market Onion for $10 detailing all the harvested accounts (as collected in Cyberint’s Argos)
Infected machine credentials offered for sale via the Russian Market Onion for $10 detailing all the harvested accounts (as collected in Cyberint’s Argos)

The veterans, however, tend to sell their logs on private Telegram channels after providing samples in underground forums.

Interested parties can approach the seller and buy the relevant account information, paying in cryptocurrency. In most cases the seller will remove the specific post and will not sell it to more than one buyer, to verify that the purchased credentials are not being used by more than one attacker.

Example of Office 365 login credentials collected by info stealer malware
Example of Office 365 login credentials collected by info stealer malware

Infostealer Delivery Methods

Most info stealers developers and sellers do not provide a delivery method, leaving this to the threat actors purchasing the stealer decision. Given that, threat actors constantly looking for new ways to apply social engineering techniques in order to distribute and deliver the various stealers. Among the delivery methods there are Malspam and community-based distribution methods.

C2 Infrastructure

Each stealer has its own implementation for its C2 infrastructure.

C2 infrastructure can vary depending on the info stealer family and the sophistication level of its developers. The most common infrastructure in most families is based on the classic HTTP servers model. over the past two years we have seen cases in which some families use direct messaging applications such as Telegram. Another model is the Tor Network and specially crafted network protocols for communicating with the C2

Popular Stealers

The most popular info stealers in the threat landscape as of now are Redline Stealer, Raccoon and Vidar, while the latter is pretty “seasonal” and changes often.

Redline Stealer

First observed in 2020 and advertised as a MaaS threat or as a standalone version on various cybercriminal forums, Redline is an information stealer that mainly targets Windows victim credentials and cryptocurrency wallets.

Redline is currently the most popular by far of all the info stealers due to its ongoing development, competitive price, simplicity, high success rate, solid C2 infrastructure using a unique combination method that is not straightforward to detect, and overall, being a brand name in the info stealers industry.

Redline Stealer Telegram channel
Redline Stealer Telegram channel

Raccoon Stealer

First observed in 2019 and advertised as a MaaS threat on various cybercriminal forums, Raccoon is an information stealer targeting victim credentials and cryptocurrency wallets. When it comes to unique features, Raccoon does not have anything to offer that Redline doesn’t, but it is more user-friendly and offers a great platform (Figure 4) for less sophisticated threat actors or beginners who would like to gain a foothold into the info stealers industry.

Raccoon Control Panel
Raccoon Control Panel

Vidar Stealer

First seen in October 2018, Vidar is a descendent of the former Arkei Stealer, which currently looks like one of the most popular stealers due to its simplicity, dynamic configuration methods, and ongoing development. Vidar is on sale for $150-750, mainly in underground forums and on various Telegram channels.

Infostealers are gaining popularity as an attack tool and with almost 6 billion leaked credentials in 2021 alone, they have undoubtedly become yet another serious risk to most organizations. Only by gaining immediate visibility into the leaked data organizations can mitigate and remediate account take over and breaches in earlier stages, avoiding fraud and other malicious attacks.

Cyberint leverages autonomous discovery of leaked credentials from an unparalleled array of sources to allow cybersecurity teams to effectively detect both employees’ and customers’ leaked credentials, prevent account takeovers, and protect their brand.

 

Are your organization’s credentials exposed?
Get a Digital Risk Snapshot to find out!

 

Uncover your compromised credentials from the deep and dark web.

Fill in your business email to start.