This guest blog was written by Ryan Bell, Threat Intel Manager, Corvus Insurance
Enterprise security teams from the CISO to security analysts have an enormous scope of threats to monitor in order to protect their organizations. In 2024, it’s imperative they add mitigating infostealer malware to the list. Infostealer malware, a type of malicious software that enables attackers to extract sensitive information from compromised systems, can gain access to computers and operate in the background undetected.
According to a new IBM X-Force Report, infostealer malware activity increased 266% in 2023, with malware designed to steal personal identifiable information (PII) like emails, social media and messaging app credentials, banking details, crypto wallet data and more. While the theft of PII data is daunting on its own, the larger concern is that these attacks are often a precursor to a larger attack such as ransomware. This is not your run-of-the-mill malware. Coupled with a persistent threat actor bent on using the information to make a bigger impact, the results are often catastrophic. Oftentimes these bad actors are selling the harvested information on the dark web, where PII is bought and sold on a regular basis. Ransomware groups who don’t want to use infostealer malware themselves can resort to paying for stolen credentials. In fact, infostealer ads are steadily increasing. According to Mandiant (part of Google Cloud), there was a 60% increase in infostealer advertisements on criminal marketplaces between 2021 and 2022. There is no doubt that personal credentials are the front door to inflicting more harm.
Infostealer Malware Spurs Large Attacks
We’ve already seen infostealer malware at the root of several substantial attacks in 2024. In January, a threat actor gained access to an administrative account for a large network provider, Orange Spain. In particular, they gained access to Orange's RIPE Network Coordination Centre (NCC) account that controls how internet traffic flows. The threat actor was able to modify the autonomous system (AS) number belonging to Orange’s IP address. A weak password exposed by infostealer malware was blamed for the massive outage which disrupted approximately 50% of its network's traffic. Cybercrime intelligence company Hudson Rock noted that the attack illustrated how a single infostealer infection can be detrimental to any company. In another instance, threat actors leveraged multiple GitHub repositories containing cracked software to distribute RisePro infostealer malware. According to Ars Technica, GitHub’s site was flooded with millions of code repositories containing obfuscated malware that steals passwords and cryptocurrency from developer devices. Cybersecurity company G Data CyberDefense identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors.
Common Techniques and Infection Methods
Infostealer malware can use a number of methods to obtain PII data. These include keylogging, web form grabbing, credential theft, session hijacking and screen capture. Historically cybercriminals have distributed infostealer malware through email attachments and what are called “drive-by downloads.”
Phishing emails are common, designed to look like legitimate emails and often contain attachments disguised as important documents such as an invoice. However, once the recipient opens the attachment, the malware infects the system, allowing it to gather sensitive information. Infostealer malware can also be delivered through compromised websites or advertisements (drive-by downloads). When users visit these sites or click on infected ads, the malware is automatically downloaded onto their devices without their knowledge or consent. For example, if using Google or Bing ad features, attackers can manipulate malicious sites to appear first in the search engine results. Outdated software or vulnerabilities in web browsers can make users particularly vulnerable to these types of attacks.
Infostealer operators aren’t neglecting AI applications as the adoption of GenAI and ChatGPT increases. According to Kaspersky Digital Footprint Intelligence, in 2023, the number of OpenAI users' stolen credentials increased 33-fold compared to the previous year, as 664,000 records with logins and passwords, including those for ChatGPT, were posted on the dark web.
Preparing and Protecting the Enterprise
The use of infostealer malware is showing no signs of slowing. It is imperative that businesses take necessary proactive security measures. Some of these protocols may seem basic, but they are often the easiest way to protect against infostealer malware that is focused on harvesting sensitive information by any means possible.
Security measures include:
Email Security: Use a reliable email security provider to block any malicious email attachments that might contain infostealer malware.
Strong Multi-factor Authentication (MFA): Enable strong multi-factor authentication. Since many infostealers steal session cookies, it’s key to use modern phishing-resistant forms of MFA.
Endpoint Detection and Response (EDR): Deploy reputable EDR solutions to detect and block infostealer malware and subsequent malicious activities.
Leveraging Passkeys: Infostealers target user credentials. Passkeys provide a more secure and convenient way to authenticate. They are phishing-resistant, so attackers can no longer trick users into giving up their passwords, and there is no way for attackers to bypass their security.
As we move through 2024, many businesses are ill-prepared to protect against infostealer malware even though they have all the right tools at their fingertips. While infostealer malware efforts are growing, the tried-and-true security best practices are effective against all types of attacks. Those companies that are taking their vulnerabilities seriously and taking proactive steps will undoubtedly be in a better position to alleviate the risks.