Contact
  • Home
  • Infostealers: investigating the cybercriminal threat within its ecosystem
Back

Infostealers: investigating the cybercriminal threat within its ecosystem

Image Slider

May 15, 2023

Guillaume GAUTHIER, Network Security Engineer at Squad, discusses a conference on infostealers, malware designed to collect sensitive data for resale. From data theft to resale, the use of this technique is constantly increasing, and you will quickly understand why!

A look back at a conference hosted by Livia Tibirna, Quentin Bourgue, and Pierre Le Bourhis

Infostealers are malware designed to collect sensitive data, particularly authentication data, and send it to the attacker.

The threat posed by "infostealers" is claiming more and more victims, both individuals and businesses. Although not new, these attacks are becoming increasingly common, due in particular to the democratization of this technique in the Russian-speaking cybercriminal ecosystem and the professionalization of related activities.

Attacker groups structure their various activities, organize themselves into departments, and then pool the information they have gathered in order to better manage the sale of this data.

They even go so far as to offer Malware as a Service (MaaS). These turnkey solutions enable anyone with malicious intent, regardless of their skill level, to carry out attacks.

Attacker groups call on "traffers,"individuals with technical expertise who are the real actors behind the threat! 

Their role is to manage threats by redirecting users to malicious content. Their goal is therefore to spread infostealers en masse to victims. They use the resources provided by the attacker group in exchange for a share of the revenue.

This modus operandi allows the groups responsible for these attacks to remain undisturbed in most countries, as they do not carry them out directly.

The most commonly used means of attack are:

  • Malspam/phishing: sending emails with malicious content, such as an infected attachment, a link to a fraudulent website, etc.
  • Cracked software: this is a source of infection that is highly prized by hackers. It can be used via torrent platforms or YouTube videos showing a crack with a link in the comments. These attacks are also known as 911 infection chains.
  • Malvertising/Search Engine Optimization: this is a method of infection via internet searches. Malvertising is a malicious domain promoted by search engine advertising (Google AdWords, for example). Search Engine Optimization (SEO) is the creation of malicious domains offering, for example, cracks for games or software, allowing the malicious payload to be distributed.

Sales are therefore an important part of this business. They can be broken down as follows:

  • Sales of exploits and tools for traffers:these range from templates for fake websites (taxes, fines, banks, etc.) to mailing lists for phishing or phone numbers.
  • Sale of data/logs: whether qualified or unqualified, parsed or unparsed, they can be sold individually or in bulk. Qualified and parsed logs are sold at a higher price than unparsed standard logs.

To combat this, there are investigative methods:

  • Monitoring various distribution channels, such as forums, Telegram, and more recently Discord, makes it possible to track the release of new malware. Vendors, who generally have to prove their credibility, show evidence of the malware's functionality and/or stolen data/logs.
  • Tracking:monitoring distribution infrastructure, estimating impact, and tracing server chains (command & control), creating and monitoring YARA signature detections.
  • Sandbox analysis:this allows malware to be dissected, its operation and code to be analyzed, and command & control chains to be traced.
  • Tracking payloads distributed on the internet:via search engines or other means, this can enable analysis of distribution methods and tracing of command and control chains.

In order to strengthen protection for businesses, it is essential to understand how malware works and to monitor the threat over time, including how it spreads and evolves. The malware market, and particularly the infostealer market, is evolving very rapidly. Today, we can say that it is reaching maturity, in the sense that hacker groups are now highly organized and responsive.

They remain in a legal gray area by carrying out few or no attacks themselves, but instead going through traffickers. This market is therefore very lucrative, so companies must constantly adapt and not neglect the security of their infrastructure or the training and awareness of their employees.

In 2022, ANSSI published a summary document on threats related to cookie theft.

Guillaume GAUTHIER

Network Security Engineer, Squad

A look back at Cloud Expo Europe, DevOps Live, Cloud & Cyber Security Expo cover
December 6, 2023

A look back at Cloud Expo Europe, DevOps Live, Cloud & Cyber Security Expo

A look back at Cloud Expo Europe, DevOps Live, and Cloud & Cyber Security Expo on November 15...
Learn more
Cloud workshop: setting up a Kubernetes cluster cover
November 29, 2023

Cloud workshop: setting up a Kubernetes cluster

Matthieu, Cloud Security Practice Leader at Squad, led a workshop with six GCP af...
Learn more
Red Hat Summit Connect Paris 2023 cover
October 16, 2023

Red Hat Summit Connect Paris 2023

At the Red Hat Summit Connect in Paris in 2023, I had the privilege...
Learn more
Toulouse Hacking Convention 2023: a look back at two days of conferences cover
May 9, 2023

Toulouse Hacking Convention 2023: a look back at two days of conferences

A look back at the Toulouse Hacking Convention 2023. On the agenda: technical conferences...
Learn more
Cybersecurity vs. FinOps: Two Enemies? cover
January 17, 2023

Cybersecurity vs. FinOps: Two enemies?

FinOps and Cyber teams often at odds Excerpt from a review...
Learn more