The use of info stealers by cybercriminals presents a threat to the security and wellbeing of Australian organisations. Info stealer infections commonly present as precursor activity to major cyber security incidents, as cybercriminals use them to gather user credentials. These user credentials, especially those providing access to internet-facing remote services or privileged accounts, are then exploited to enable initial access into corporate systems and data.
Stolen valid user credentials are highly valuable to cybercriminals, because they expedite the initial access to corporate networks and enterprise systems. With stolen valid user credentials, cybercriminals can bypass several typical tactics and techniques, including:
- Identifying and researching a target
- Enumerating the target’s network for vulnerabilities
Developing vectors for initial access, such as:
- Phishing material
- Exploitation of software vulnerabilities
- Targeting remote services, including Remote Desktop Protocol (RDP) or virtual private network (VPN) services.
- Brute force attacks against user credentials (password guessing)
In remote work settings, some employees use personal devices for both work and personal internet browsing. In doing so, employees may opt to store their user credentials in their web browsers’ password stores and extensions, or they may make use of web browser autofill features. Info stealers target these password stores, along with authentication cookies and other personal data within the web browser.
Information stealers have been observed in cybercrime attacks against multiple organisations and sectors worldwide, including Australia. This publication provides readers with cyber security guidance on information stealer malware, including threat activity and mitigation advice for organisations and their employees.
Key Points:
Information stealer malware, also known as info stealers, are a type of malware designed to collect information from a victim’s device. This can include user names and passwords, credit card details, cryptocurrency wallets, local files, and browser data including cookies, user history and autofill form details.
Cybercriminals may seek to purchase and use stolen user credentials associated with corporate accounts to gain initial access to devices of the victim’s employer, their clients and other enterprise systems. Subsequent impact to these organisations can include ransomware, extortion, business email compromise and theft of intellectual property.
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has identified corporate network breaches that originated in employees accessing work resources from compromised personal devices. In multiple instances, cybercriminals gained initial access to corporate networks by using stolen valid user credentials. Our investigations showed that extensive compromises usually occurred after cybercriminals had successfully accessed privileged user accounts.
Organisations that facilitate employees, contractors, managed service providers or other entities to access their network remotely, including with Bring Your Own Device (BYOD) hardware, need to be aware of the risks of info stealers and protect themselves from this threat. Cybercriminals deploy info stealers to victim devices using a wide range of techniques, including phishing emails, pirated software downloads, search engine optimisation (SEO) techniques, malicious advertisements or malicious links posted on social media platforms. In general, devices that are used for both work and personal purposes are at a higher risk of infection via these techniques due to user behaviour and reduced security controls.
Info stealers offer an attractive model for cybercriminals to monetise cybercrime activity, particularly for entry-level cybercriminals and those with limited technical proficiency. Some cybercriminals will market info stealer products under a Malware-as-a-Service (MaaS) style program, charging a monthly subscription fee for their use.
Information Stealer Ecosystem
Stage 1: Acquire the malware
Info stealers are often sold on cybercriminal marketplaces as Malware-as-a-Service (MaaS) or as source code, making them accessible to individuals lacking technical expertise. This subscription-based model allows users to distribute malware and gather stolen information easily. Typically advertised at a low monthly fee, these services offer a dashboard for managing the malware, organizing stolen data, and monitoring compromised systems. MaaS providers frequently update features, offer tools, and provide technical support to help users avoid antivirus detection, which increases subscriber retention. Many info stealers also include self-deletion capabilities after exfiltrating data from victims’ devices.
Stage 2: Distribution
Cybercriminals known as ‘Traffers’ distribute info stealers and collect information from compromised devices. They direct victims to malicious links in broad campaigns, relying on opportunistic infections. Some campaigns are tailored to specific industries, involving targeted spear-phishing against specific victims. Traffers deploy info stealers using various techniques, including botnets, phishing, malicious search results, malvertising, cracked or pirated software, social media advertisements, and malicious software updates disguised as web browser updates. These tactics aim to gain sensitive information by deception and lowering the barrier to entry for cybercriminals.
Stage 3: Data Harvesting
Once an info stealer executes on the victim’s device, it begins collecting sensitive data from the compromised machine. Apart from stealing user credentials, in cases where info stealers are part of a botnet, cybercriminals can remotely control the compromised device by sending configuration commands to activate additional capabilities or deliver other malware. In general, info stealers are capable of stealing:
- User names and passwords, particularly those stored in web browsers’ multi-factor authentication (MFA) user sessions / tokens
- Authentication cookies
- Web browser autofill form information
- Email credentials, contents and contacts
- Web browsing history
- User documents
- Credit card details
- Chat logs from desktop messaging apps
- System information
- Cryptocurrency wallets
- VPN or File Transfer Protocol (FTP) credentials
Some web browser authentication cookies keep a user logged into an account or service for multiple days at a time, so that users are not required to re-authenticate. If stolen, these authentication cookies could effectively bypass MFA requirements and provide cybercriminals access into victim accounts, corporate networks and enterprise systems.
Stage 4: Data Aggregation and Monetization
Info stealers are configured to exfiltrate victim information, known as ‘logs’, to malicious command-and-control servers. In general, info stealers leverage popular messaging apps, such as Telegram and Discord, to share a feed of logs with cybercriminals. Specialised marketplaces exist on Telegram and across the dark web for the sale and trade of logs. Cybercriminals monetise the logs in various ways, including:
- Selling logs on criminal marketplaces, including to initial access brokers
- Exploiting the victim directly, via identity theft and extortion
- Leveraging the information for initial access into corporate networks for ransomware activity.
Stage 5: Implications
Info stealers can have severe implications for both individuals and organisations. Where info stealers collect user credentials, cybercriminals may use these user credentials to access corporate networks or enterprise systems with valid user accounts, often delaying detection by system owners.
For organisations affected by info stealers, consequences may include:
- Ransomware
- Data breach
- Business email compromise
- Theft of intellectual property
- Theft of sensitive information
For an individual affected by info stealers, consequences may include:
- Unauthorised access to personal email or social media accounts
- Increased risk of identity theft
- Increased risk of phishing attacks
- Financial loss or unauthorised access to financial accounts
- Loss of privacy
Mitigations:
Organisations may not be able to enforce controls on devices that connect to their corporate network, particularly on personal devices used by employees working remotely. ASD’s ACSC recommends organisations focus on implementing controls to protect themselves from the risk of info stealers targeting user credentials. These mitigations include:
- Provide cyber security awareness training for staff
- Secure corporate accounts
- Harden enterprise mobility
- Review and assess supply chain risks from vendors accessing your networks, including Software-as-a-Service (Saas) vendors and Managed Service Providers.
- Protect your corporate network
- Prepare for a compromise
- Implement ASD’s ACSC’s Essential Eight
- Advice for your employees when working remotely
To know more, contact Cybernetic Global Intelligence’s cyber experts at 1300 292 376 or via email at contact@cybernetic-gi.com, or visit our website at https://www.cyberneticgi.com/.