Info-stealers are malicious software designed to extract sensitive information, such as passwords, from victim systems. Info-stealers have become one of the most discussed malware types in cybercriminal underground forums.
Let’s see how info-stealers have evolved recently to become the threat that they are. Then, we’ll look at a specific stealer freely available as open-source that could be used in future attacks.
Info-stealers are on the rise
Info-stealers have been around for decades. But in the last several years, we’ve seen this way of getting into networks explode. Stolen credentials are a common entry point into corporate networks, often resulting in large ransomware incidents.
For a malicious actor, the process of buying an info-stealer is about as easy as it is for you or me to buy chocolate or a new shirt. There are dozens of them for sale on the dark web, each with unique quirks suited for a large selection of attack types.
An info-stealer can be attached to an email or pirated software. A threat actor can also breach your network through other means and then drop the info-stealer to gather as much information as possible.
Then, what happens to your stolen credentials or other information depends on the threat actors’ “business model.” Some of them steal credentials and then sell them on the dark web. Others deploy ransomware or seek other ways to extract value directly from the affected organization.
A Russian market on the dark web had even started taking requests for “wanted” domains. Threat actors can place a request for a specific domain and have others work on an “initial breach” of that organization. These are called initial access brokers. The dark web markets have really evolved over the last 4-5 years and have started to function with professionalism akin to legitimate businesses.
Stealerium: A highly-advanced info-stealer available on GitHub
One info-stealer that’s unique in that it’s open-source, instead of hidden behind paywalls on the dark web, is Stealerium. Stealerium is an advanced stealer freely available on GitHub, written in the C# programming language. Compared with info-stealers SecurityScorecard researchers have observed in the past, Stealerium steals the most information. Knowing malicious actors as well as we do, we wouldn’t be surprised to see Stealerium used actively in hacking campaigns soon.
When deployed to a victim system, Stealerium logs and extracts information from the host machine. The logs can then be transferred to a Discord channel run by malware operators. Stealerium uses a webhook to connect to the Discord channel and transfer log data.
Stealerium tries to gather as much data as possible that could be stored on the victim’s computer. This may include data such as passwords stored in the browser, history and bookmarks, and cookies. The malware can also collect information from several popular VPN apps.
Image taken from our Detailed Analysis on Stealerium, showing how the malware exfiltrates OpenVPN configuration files
The malware also has keylogging and crypto-stealing capabilities. It can monitor the system clipboard for crypto wallet strings stored in it and replace them with a hardcoded string that matches the malware operator’s crypto wallet, effectively redirecting and intercepting crypto transfers.
Stealerium tries to locate cryptocurrency wallets such as Zcash, Armory, and others in the “%AppData%” folder, and Litecoin, Dash, and Bitcoin wallets in the registry:
How Stealerium tries to locate crypto wallets on a victim system
You can read a full, detailed analysis of Stealerium and its capabilities in our research paper here.
Protecting your organizations from info-stealers
Solid perimeter control is key for protecting against info-stealing attacks. This means preventing spam emails from getting into your employee’s inboxes and stopping employees from downloading stuff while browsing the Web.
Multi-factor authentication (MFA) is also important. Strong passwords are still very necessary, but those extra layers of protection just make it better. The more authentication factors you put in front of your critical assets, the better protected they are.
But none of this guarantees that something won’t get into your network eventually. When something does happen, you need clear visibility into all of your endpoints to detect any suspicious activity, so you can identify and quarantine an affected machine as soon as possible.
You should account for what was stolen during an info-stealing incident. This will likely include any personal information the employee had on the device, as well as corporate secrets. Password resets are necessary to ensure the malware is no longer a threat after being removed from the machine.
Protect your sensitive data with SecurityScorecard
As organizations look to protect sensitive information, they need continuous visibility into their complex IT ecosystems. SecurityScorecard’s security ratings platform offers at-a-glance insight into the effectiveness of your data protection controls. Our platform’s A-F rating scale provides an outside-in view across ten groups of risk factors so that organizations can continuously monitor, remediate, and document their data protection activities.
Understanding how your organization fares against skilled adversaries is key to any security program. Our Active Security services can determine the effectiveness and identify any gaps in your security controls, taking the power of knowledge out of the hands of your attackers and putting it back where it belongs – in your control.
Request your free instant scorecard today and join 24,000+ teams that trust SecurityScorecard to help monitor, mitigate and resolve security risks.
