The market for stolen data logs is booming and information stealing malware is becoming “a natural choice” for cybercriminals seeking a quick way to infiltrate businesses, according to new research from Secureworks.
Infostealers pilfer login credentials, financial details, and personal data from infected computers and networks, and a report published Tuesday by the vendor’s Counter Threat Unit claims the tools are becoming more sophisticated and harder to detect, posing a growing challenge for defenders of corporate networks.
Threat groups package and sell the exfiltrated data as logs which can be used to break into enterprise networks via remote access services, like virtual private networks (VPNs) and Microsoft Office Web Access (OWA).
Secureworks research found that since June 2021, the number of logs for sale on Russian Market – the largest dark web market for infostealer logs, - was up 670%. It grew by 150% from June 2022, when there were 2 million logs for sale on a single day, to 5 million in late February 2023.
“Coordinated global action by law enforcement is having some impact, but cybercriminals are adept at reshaping their routes to market,” said Don Smith, vice president for threat research at SecureWorks.
Despite multiple arrests and the takedown of 11 domains associated with Genesis Market last month, the Tor site remained operational with logs still available for sale. Activity had slowed, however, and criminals had been observed on underground forums discussing their concerns about using the market.
Telegram has been a beneficiary of this, with more buying and selling of logs for popular stealers such as RedLine, Anubis, SpiderMan and Oski Stealer shifting to dedicated Telegram channels, Secureworks found.
The malware is also becoming cheaper and easier for relatively inexperienced cybercriminals to use, and the popularity of working from home and bring your own device (BYOD) policies have led to a surge in opportunities for corporate assets to be infected by personal devices. Many underground forums sell the tool as part of a monthly subscription package for prices that range between $50 and $1,000 per month.
“Infostealers are a natural choice for cybercriminals who are looking to rapidly gain access to businesses and then monetize that access,” said Smith. “They are readily available for purchase, and within as little as 60 seconds generate an immediate result in the form of stolen credentials and other sensitive information.”
Smith said the innovative ways criminals were finding to trick users into installing the malware, such as via fake messaging apps and cloned websites, “has really changed the game.”
Secureworks said the growing popularity of malware-as-a-service within the criminal underworld had sparked innovation among developers to improve their products and appeal to a wider range of customers.
For example, Russian Market started offering users the option to pre-order stolen credentials for a specific organization, business, or application. While there were no guarantees pre-orders would be fulfilled, buyers who deposited $1,000 into the site’s escrow system could request credentials based on a specified domain name.
The SecureWorks report claims the use of infostealers is now so widespread, an entire secondary market has popped up for individuals who can parse raw log data into common or usable formats for a fee.
“What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially lucrative for relatively low-skilled threat actors to get involved,” Smith said.
Because of their ability to discreetly and efficiently exfiltrate sensitive data from targeted systems, the tools are also popular with state-sponsored threat groups that focused on cyberespionage operations.
During the war in Ukraine, Russian threat actors had deployed the Graphiron infostealer to target Ukrainian organizations. Chinese state-sponsored threat groups had also been observed using infostealers.
Smith said there were a range of measures organizations could take to reduce the risk of data theft.
“Ensuring that you implement multi-factor authentication to minimize the damage caused by the theft of credentials, being careful about who can install third-party software and where it is downloaded from, and implementing comprehensive monitoring across host, network and cloud are all key aspects of a successful defense against the threat of infostealers.”