Despite the best efforts of law enforcers and network defenders, the infostealer market is booming. This insidious malware steals information such as login credentials, financial details, and personal data from compromised computers and networks. The stolen data is then packaged and sold as “logs” on underground marketplaces.
 
Secureworks research shows the volume of stolen data for sale on underground sites increased by 670% between June 2021 and May 2023 – with the largest marketplace, ‘Russian Market’, offering over five million victim logs from just a handful of infostealers.

In 2022, stolen credentials accounted for almost one in 10 Secureworks incident response engagements. From April 2022 to April 2023, they were the initial access vector (IAV) for over a third (34%) of our ransomware engagements.

Available to preorder
We have also seen evidence of cybercriminals being able to pre-order stolen credentials. Buyers simply deposit $1000 in the marketplace’s escrow system and request credentials based on domain name or specific application. This development could herald a worrying new wave of more targeted attacks on specific organisations and sectors.
 
Security teams must understand the risks infostealers pose, know where their networks could be exposed, and ensure they are taking the right steps to mitigate these threats.
 
Central to cybercrime 
While infostealers have been around for decades, they have evolved into a much more potent threat in recent years – providing a vital lynchpin in the cybercrime ecosystem. They can be covertly installed on PCs and other devices via a variety of mechanisms, often through simple phishing attacks, drive-by downloads, or malvertising. They prey on individuals within organisations who make an erroneous click. The speed at which they can execute and exit is lightning fast; many infostealers collect and transmit stolen data within several seconds to a minute of total runtime.
 
Other cybercriminals, or even state-sponsored threat actors, purchase the stolen data to facilitate attacks. It’s all part of the cybercriminal cycle of life. The infostealers provide that fertile ground that feeds other attackers.
 
For example, threat actors may buy credentials to gain unauthorised access to enterprise networks via remote access services such as virtual private networks (VPNs) and webmail services. They could then use this access to exfiltrate sensitive data or deploy ransomware.
 
Infostealer innovations
Infostealers trace their heritage back almost two decades to the infamous Zeus banking trojan. Zeus source code was leaked in 2011, leading to a proliferation of new variants, offering advances in capability, such as customisation to target Android devices, Facebook business accounts, and other platforms. Some of the most popular variants include RedLine, Raccoon, Vidar – all of which are active across global marketplaces.
 
The risk to corporate users is particularly acute in hybrid workplaces. Adoption of bring your own device (BYOD) policies could result in infected personal devices accessing corporate systems and putting the organisation at risk. Using work devices for personal tasks such as playing games and visiting social media sites also raises the risk of unwittingly installing infostealer malware.
 
But that’s not all. The technical barrier to entry has been lowered. The malware-as-a-service (MaaS) model makes it easier for less technical threat actors to use infostealers. For example, some marketplaces offer a browser extension for built-in parsing, bypassing the often laborious and technical job of manually parsing logs.

Structured data for sale
Meanwhile, a fast-growing market has emerged for “after-action” parsing tools to help extract data of interest from raw logs. These tools are snapped up by threat actors who have deployed infostealers and want to sell structured data, as well as by buyers in possession of bulk raw logs.
 
We have also seen threat actors increasing efforts to hide their identities and activities as a result of high-profile law enforcement disruption of criminal marketplaces.

Many cybercriminals now use platforms like Telegram and Mastodon to advertise their services and to obtain and post command and control (C2) IP addresses. Although buyers are at the mercy of scammers on these platforms, these communications channels make it harder for law enforcement to find and shut down cybercriminal activity.
 
How to stay safe:
Despite the agility of threat actors, there are some tried-and-tested ways to keep infostealers off corporate systems. Cyber-hygiene best practices can do much to mitigate the threat from opportunistic attacks:

• Keep software up-to-date.
• Use strong and unique passwords.
• Implement multi-factor authentication (MFA).
• Only download software from official stores.
• Conduct employee training to improve phishing awareness.
• Update security policies as appropriate to address hybrid working practices.
• Invest in security solutions that can detect and block infostealer malware.