Infostealers: What they are, how they spread and how to stop them

Think about all the information stored on your computer. Your passwords. Your credit card details. Your browser history.

Now, imagine someone (or something) trawling through all that information and extracting the most valuable data.

That’s an infostealer. An infostealer is a type of malicious software that tries to steal your sensitive information, which threat attacks can sell on the black market or use to launch additional cyberattacks.

In this blog post, we’ve rounded up everything you need to know about infostealers, including what they are, how they spread, and how to stop them.

What is an infostealer?

As the name implies, an infostealer is a type of malware designed to harvest sensitive data from a compromised system. The stolen data is sent to an attacker-controlled server and often sold on the black market to other threat actors, who may use the information to commit fraud or gain unauthorized access to various resources and assets.

Infostealers can extract a wide range of data from an infected machine, including:

• Credentials used for online banking, email accounts, social media sites, and FTP services.
• Credit card details.
• Emails.
• Hardware information.
• Operating system information.
• Cryptocurrency wallets.
• Screenshots.
• Specific file types (commonly images, documents, spreadsheets, etc).

Infostealers usually operate as malware-as-a-service (MaaS), a business model in which the developers of malicious software lease their malware to others for a fee. This arrangement allows almost anyone to deploy an infostealer, regardless of their technical aptitude.

Infostealers can vary in functionality and use different methods to extract data. Some focus exclusively on harvesting data, while others provide remote functionality that allows threat actors to drop and execute additional malware on the compromised system.

Why do threat actors use infostealers?

Infostealer attacks are typically financially motivated. The stolen data is analyzed and any valuable information is collated and organized into a database, which can then be sold on the dark web or through private Telegram channels. Buyers may use the information to commit various types of fraud, such as applying for bank loans or credit cards, purchasing items online, or making fraudulent health insurance claims. Buyers may also use compromised login credentials to gain entry to corporate accounts and remote services. Once access has been obtained, threat actors can easily use the hacked account’s privileges as a starting point to initiate further malicious activity.

Infostealers are also commonly deployed in ransomware campaigns. It has become increasingly common for ransomware operators to spend significant amounts of time in the target environment before deploying the final ransomware payload. During this time, they may use a variety of techniques to gain a firmer foothold, which often includes the deployment of infostealers. Harvesting credentials may enable threat actors to move laterally and escalate permissions, while stealing machine-specific data – IP addresses, country, ISP, operating system, browser information, and so on – can help them tailor the attack to the environment to inflict maximum damage.

How do you get infected with an infostealer?

Threat actors may use a variety of attack vectors to distribute infostealers. Some of the most common infection methods include:

• Spam: Threat actors commonly deliver infostealers via email, often under the guise of a legitimate organization. The infostealer may be attached directly to the email, or the recipient may be encouraged to click on a malicious URL that directs the user to a download of the malware. Spam emails are typically distributed en masse although in some cases they can be tailored to a specific group or individual.
• Compromised system: As noted above, infostealers are often deployed remotely after threat actors have gained access to the target system. See this blog to learn more about how attackers evade security solutions.
• Malvertising: Websites compromised by exploit kits are commonly used to serve malicious advertisements. Clicking on the ad may execute malicious code that installs an infostealer, or it may redirect the user to a malicious website where the malware can be downloaded. In some instances, simply viewing the malvertisement can be enough to trigger the download of an infostealer.
• Pirated software: It’s not uncommon for hacking groups to bundle malware with pirated software downloads. Just about every type of malware has been distributed through pirated software at some point, including infostealers.

How to protect your system from infostealers

The following practices may help reduce the risk of getting infected with an infostealer.

• Think twice before clicking: Most infostealers spread through user-initiated actions like opening a malicious email attachment or downloading a file on a malicious website. As such, one of the most effective ways to avoid infostealers is to think twice before clicking. Don’t open unsolicited email attachments, be wary of emails that don’t address you by name, and hover over URLs to ensure the target address matches the linked text.
• Install updates: Some infostealers are distributed by exploiting known browser vulnerabilities. This attack vector can be mitigated by applying updates for your browser, operating system, and other applications as soon as they’re available.
• Secure your browser: Reduce the risk of getting infected with an infostealer and other types of malware by securing your browser. Emsisoft Browser Security, for example, is a lightweight browser extension that blocks access to websites that distribute malware and prevents phishing attacks.
• Use multi-factor authentication: MFA provides an extra layer of security that can help prevent unauthorized access to accounts, tools, systems and data repositories. Even if a threat actor manages to steal your login credentials, they may not be able to provide the secondary piece of authentication required to access the compromised account.
• Avoid pirated software: It’s not uncommon for pirated software to come laden with various forms of malware. So, stick to legitimate applications. These days, there are so many free, freemium, and open-source alternatives that there’s no need to roll the dice on pirated software.

There are many different infostealer families. Below are some of the most popular.

RedLine Stealer

RedLine is one of the most popular infostealers in the world. First observed in 2020, RedLine targets the Windows operating system and is typically distributed on underground Russian malware forums, where it can be purchased as a standalone application or on a subscription basis.

RedLine attempts to exfiltrate a wide range of data from the victim machine, including data from web browsers, FTP clients, instant messaging services, cryptocurrency wallets, VPN services, and gaming clients. Once RedLine has established a connection with its command and control server, it can be used to remotely perform additional functions, including downloading files, running portable executable files, executing requests via CMD.exe, and more.

Raccoon Stealer

First observed in 2019, Racoon Stealer is an infostealer that extracts data relating to crypto wallets, browser cookies, passwords, browser autofill information, and credit cards. It operates as a MaaS and is primarily distributed through phishing campaigns and exploit kits. The Racoon Stealer operation shut down in March 2022, possibly due to one of the lead developers being killed in the Russia-Ukraine conflict. However, in early July 2022, a new variant of the malware was released, this time written in C (unlike the previous versions, which were written in C++).

Interestingly, the new version of Raccoon Stealer sends data each time it steals a new item. This flies in the face of conventional data exfiltration practices: typically, threat actors collect data in bulk and transfer it all at once in order to reduce the risk of detection. This, coupled with the fact that Raccoon Stealer 2.0 uses no anti-analysis or obfuscation techniques, suggests that the developers are more concerned about speed than subtlety.

Vidar Stealer

Vidar is a popular type of infostealer that is capable of stealing a range of sensitive data, including banking information, login credentials, IP addresses, browser history, and crypto-wallets. A fork of the Arkei malware family, Vidar was first identified in 2018 and has remained a popular infostealer thanks to its ease of use, ongoing development, and active support channels. Vidar is customizable, allowing threat actors to specify the kind of data they wish to steal.

Conclusion

Infostealers are capable of harvesting a broad range of sensitive information, which threat actors can sell or use to execute additional attacks. They are typically distributed through spam, malvertising, compromised accounts, and pirated software. Being careful with your clicks, keeping your browser up to date, and enabling MFA can help reduce the risk of infection and limit the impact of an attack.