Incidents involving infostealers have more than doubled in Q1 2023 compared with the same time period last year, and are attacking three major platforms: Windows, Linux and the macOS.
In a study released July 26 by Uptycs, the researchers said most of these malware authors are using Telegram as a platform for command-and-control (C2) and data exfiltration.
Infostealer malware targets victims by stealing sensitive information that can include passwords, login credentials and other personal data. After collecting the data, the stealer sends it to the threat actor’s C2 system.
In examining the dark web, Uptycs found that RedLine has become the prominent infostealer in the marketplace with a 56% market share, followed by Raccoon (15%) and the RecordBreaker stealer. Newcomer Meta (11%), Vidar (10%), Cryptbot, and AZORult are additional information stealers used in 2022.
Infostealers are primarily sold on cybercrime forums. Along with being sold on Telegram, their logs are also sold on other instant messaging platforms such as Discord. Stealer and log prices generally range between $200 to $300 a month, or around $1,000 for a lifetime subscription
According to Uptycs, one of the most prominent 2022 attacks targeted Uber’s systems. A threat actor used the Racoon infostealer to break through the ride-share company’s defenses, sending a fake two-factor authentication notification urging victims to click a link to verify a request. Once a user’s system was compromised, the attacker used the company’s VPN to access internal network resources. After gaining access to the Uber’s access management service, they used it to escalate account privileges and claimed access to several Uber resources, including AWS, Duo, GSuite, OneLogin, Slack, VMware and Windows.
Rise of infostealers coincides with extortion?
Infostealer malware may be flourishing because extortion has been thriving, said Timothy Morris, chief security advisor at Tanium. Morris said extortion has become more lucrative and simpler than ransomware.
“Most people think of extortion as holding data of an enterprise hostage, or threats of leaking the stolen data during or after a ransomware attack,” explained Morris. “That’s typical second-level extortion. The third level are the threats to leak the data of the individuals or entities contained within the data that has been exfiltrated. This third layer of extortion can be arrived at by simply stealing the information, which infostealer malware is good and mature at doing."
There’s no doubt we’re seeing more information stealing malware, but there’s been an uptick in cybercriminal activity overall, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said whether this rise in infostealers becomes part of the overall trend, a fluctuation relative to other malware activity like ransomware and spyware, or a genuine increase in this specific threat, it’s hard to say without more research.
“It’s always hard to predict how malware will evolve over time, however, it’s a safe bet that attacks on the users themselves will remain a priority,” said Parkin. “Historically, user errors have been more of a risk than technical issues. Zero-day attacks get the headlines when they happen, but users falling for phishing attacks or other social engineering attacks happen every day without fail.”
