What is InfoStealer Malware and How Does It Work

Cyberattacks are systematic, following specific phases outlined in models like the Cyber Kill Chain by Lockheed Martin, which includes reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. MITRE ATT&CK framework maps attacker tactics and techniques.

After unauthorized access, attackers establish a foothold during installation and maintain access through command and control (C2). Middle stages often involve InfoStealer malware, which extracts sensitive information for extortion or sale on the black market. This stolen data, including credentials, can further the attacker's access to other systems.

This article offers a thorough examination of InfoStealer malware, detailing its targets, operations, and prominent strains. Understanding InfoStealer's role equips organizations to better confront modern cyber threats.

What is InfoStealer Malware?

InfoStealer malware is crafted to collect sensitive data from infected systems, including personal, financial, and business information like passwords and credit card numbers. This stolen data is then transmitted to cybercriminals for various nefarious purposes, such as financial gain or identity theft.

InfoStealers typically infiltrate systems through phishing emails, malicious attachments, or compromised websites. Once installed, they operate discreetly, making detection challenging. They employ tactics to evade detection, persist in the system, identify valuable targets, and enable remote control by attackers. Advanced InfoStealers can even adapt by importing specific payloads to gather targeted information.

How InfoStealers Work

InfoStealer malware targets and extracts specific data from infected systems using various techniques. These methods range from simple scripts to sophisticated modular malware, and can also include native OS tools (LOTL attacks).

Here's a breakdown of common InfoStealer methods:

- Keylogging: Records keystrokes to capture passwords, credit card details, and other sensitive information.

- Form Grabbing: Intercepts data submitted in web forms before it’s encrypted, effectively stealing login credentials and payment information.

- Clipboard Hijacking: Monitors and modifies clipboard content, stealing copied data like account numbers or auto-filled passwords.

- Screen Capturing: Takes screenshots at critical moments to capture displayed information, bypassing text-based data extraction limits.

- Browser Session Hijacking: Steals cookies and session tokens to impersonate the victim’s online sessions, gaining access to accounts without credentials.

- Credential Dumping: Extracts and attempts to crack encrypted login data stored on the system.

- Man-in-the-Browser Attacks: Injects malicious code into the web browser to intercept and manipulate information in real-time.

- Email Harvesting: Collects email addresses and contact information from stored files and emails for spamming or phishing.

- Crypto-Wallet Harvesting: Searches for crypto-wallet software to steal private keys and transfer cryptocurrency to attacker accounts.

The Most Prolific Strains of InfoStealer Malware

Estimating the exact number of InfoStealer malware strains is challenging due to their evolving nature. However, experts agree that there are hundreds, if not thousands, of strains.

Here are some of the most notable:

- Zeus (Zbot): A notorious InfoStealer targeting financial information since 2007. It is known for banking fraud, forming botnets, and using stealth techniques to evade detection.

- Ursnif (Gozi): Active for over a decade, Ursnif is a banking Trojan that steals various data types, including banking credentials and PII. It spreads through exploit kits and phishing emails.

- Agent Tesla: Identified around 2014, this spyware functions as a keylogger and remote access Trojan (RAT). It captures keyboard inputs, clipboard data, screenshots, and credentials from installed software. Distributed via malicious email attachments.

- LokiBot: Detected in 2015, LokiBot steals credentials, cryptocurrency wallets, and other data across multiple platforms. It also downloads and executes additional malicious payloads. Spread through phishing emails, malicious installers, and compromised websites.

- TrickBot: Originally a banking Trojan in 2016, TrickBot has evolved into a multi-purpose malware capable of launching ransomware attacks and providing remote access to infected systems. It spreads through malspam and exploits network vulnerabilities.

- Raccoon Stealer: Emerged in 2019, this malware is easy for low-skilled attackers to use. It steals credentials, web session cookies, credit card data, and cryptocurrency wallet keys. Distributed via malicious email campaigns and exploit kits.

- Edline Stealer: First observed in 2020, this malware steals passwords, credit card information, and other sensitive data from web browsers. It also collects system details for secondary attacks. Spread through phishing, malicious ads, and bundled with cracked software.

Conclusion:

InfoStealers are a specific type of malware proficient in extracting sensitive information from compromised systems, crucially operating during the mid-stages of cyber attacks. They target various data, including personal, financial, and credentials for lateral movement or extortion. Understanding InfoStealer malware is vital for organizations aiming to bolster their defense strategies against evolving cyber threats.