The Resurgence of Infostealers

Born in the 1990s, a botnet malware variant known as “Infostealers” has returned with a vengeance. Since the original discovery of botnet malware, both technology and threat actor skills have drastically improved, allowing botnets to scale in size and capability. According to NETSCOUT’s 2022 threat report, in the first half of 2022 alone, their “global honeypot network observed more than 67 million connections from 608,000 unique IP addresses, spanning … 30,000 organizations, and 165 countries.” NETSCOUT observed a staggering 2,300% increase in botnet infected devices from Q1 to Q2 of 2022.

As our lives and personal data go increasingly digital, there’s more to be gained by hackers who successfully steal your private data. The US Department of Justice reports the takedown of the Racoon Infostealer MaaS (malware as a service) and the arrest of key players in its operation in March or 2022. The FBI identified over 50 million unique credentials captured by the dismantled botnet, and PII including email addresses, bank accounts, cryptocurrency addresses, and credit card numbers. A few months later, in July 2022, version two of the Racoon Infostealer was released, and went viral under its new name, RecordBreaker. There’s no question that botnet Infostealers are making a big comeback and they’re coming after your data.

What is an Infostealer?

As the name suggests, an Infostealer steals your info—and it takes it right from where you feel the safest keeping it: your own computer and mobile device. Much like a computer virus, an Infostealer is a form of malware that infects your computer or mobile phone. But unlike most viruses, an Infostealer’s purpose is to capture whatever data it can from your computer and relay it back to the botnet’s command and control servers. Furthermore, certain varieties of botnet malware can take control of your computer, take screenshots at any point, log your keystrokes, and much more. The worst part is this all happens without the machine’s user even knowing anything is wrong. While many viruses have very noticeable symptoms (poor computer performance, frequent crashing, etc), an Infostealer is more fruitful for the threat actor when it operates undetected.

What will an Infostealer steal, exactly?

In short, everything that matters to you on your device. The most lucrative is all your stored credentials and Autofill data your web browser captures. Every time you log in to a site and your browser offers to save your password, those saved credentials are what get snagged. On average, we see 38 different pairs of credentials captured from an infected device, which includes 6 unique email addresses. Your browser’s Autofill feature also saves things like your name, address and credit card numbers for easy access the next time you need to fill out this information. Unfortunately, however, since an Infostealer is software that runs on your computer, it can quite easily extract the data saved in your Autofill database, and capture all your stored credentials, which sites those credentials work for, and any other personal detail you thought would stay private unless you decided otherwise.

Among the data an Infostealer can grab from your browser are your cookies. Cookies contain snippets of data stored locally in your web browser’s cache for convenient use later. This might be a website’s way of storing your preference for something, or it could be used for login purposes. Every time you log in to a website, a “session” is created, and the session is said to be authenticated and depending on your preferences and how the web site you’ve accessed is designed, sessions can be valid for extended periods of time. Notice that you’re still logged in when you close your browser and return to certain sites? That’s thanks to sessions—and cookies are partly responsible for keeping track of your session. The website you’ve authenticated with stores a token, or a code of some kind, in your browser’s cookies. When this cookie is present and you re-visit a site, the site checks the cookie, see’s that the stored token is still valid and cross checks a few other parameters (like your browser version, operating system type and the geolocation of your IP), and if everything checks out, your session is still considered valid and you’re not required to re-authenticate. When an Infostealer captures your cookies, and some other relevant data from your computer, it is entirely possible they can leverage this to “hijack” your session and bypass the need to authenticate. This is particularly scary considering this often defeats multi-factor authentication too.

Infostealers also capture information about your computer. This includes your machine name, IP address, operating system and version, which software you run and the type of anti-virus you use (if any). They often grab a screenshot of your desktop in addition to geolocating your machine as well.

Why the recent boom in Infostealers’ success?

Infostealers are no new concept, so why are they gaining success now? In short, the underground community has matured and evolved rapidly. As technology has advanced, so have threat actor capabilities. And with these advancements, underground marketplaces, hacker communities and their respective exploits have increased in power and efficacy. It’s important to remember there is a thriving economy supporting all of these digital nefarious activities. As noted by Tidal Cyber, here are some notable reasons for recent Infostealer growth and success:

–       Underground marketplaces are robust and cater to threat actor demand. The underground hacking communities have benefitted from economic growth (of underground communities) the same way legitimate economies grow: demand for certain products and services increases the overall quality and creates competition. In short, demand for stolen credentials and PII creates demand for better tools to capture this data. Malware as a Service has emerged, allowing anyone with a nominal fee to gain access to these tools for their own malicious work.

–       The cost and other barriers to entry are low, which build upon the growing community and concept of MaaS (malware as a service). Simply put, it’s becoming easier to deploy botnet malware attacks, for very little up front cost.

–       Established “big game” threat actors are seeking Infostealer capabilities. As the underground community scales up, well known and established cybercriminals are looking to expand their game using Infostealers.

–       Infostealers are successfully impersonating legitimate software, which seeds infections. Simply put, botnet malware creators are doing a better job at disguising their Infostealer as legitimate software, making it both harder for antivirus software to detect, and more likely a user will download and install the software.

How can Constella help?

Constella Intelligence leads the industry in the largest volume and best quality breach exposure data and is rapidly approaching the industry leading spot for phishing and botnet data. We have the unique ability to capture data stolen by a phishing site or an Infostealer (botnet malware). And unlike the relatively slow lifecycle of breach data (where cyber criminals have plenty of headway to exploit your breached data before you’re aware), we capture and deliver alerts from captured botnet data in one to seven days. Since malicious actors are stealing data via botnets at such high volumes, being alerted to an exposure even a few days later gives the would-be victim a fighting chance to reset passwords and take other preventative measures before the hacker can make use of the captured data.

While antivirus software and other network security measures are a first line of defense against malware and Infostealers, they are not 100% effective. This is not a failure of your AV software and network security, as there are many reasons why botnet malware slips through; and in general, it’s a game of cat and mouse where malicious actors fight hard to stay one step ahead of security software. As a last line of defense against botnet malware attacks, let Constella monitor your clients’ data for exposure and alert you of incidents quickly, so you can begin remediation before it’s too late. Contact us for a demo!

Keon Ramezani

Sr. Sales Engineer

ID Fusion: See the Forest Through the Trees

In the identity theft protection world, consumers’ personal information is monitored for exposure on the deep and dark web, and the results often come through as a series of disjointed data points. A person may have an exposed email address and password from a gaming site, exposed address and name from a forum, exposed credit …

Lessons Learned in 2022

As 2022 comes to a close, it’s certain most of us will reflect back on the past 12 months and think ahead to planning a successful 2023. This past year showed the world tremendous change, enduring ample tough times and uncertainty, but garnished with a glimpse of hope for a brighter tomorrow. We aim to learn from our mistakes, keep lessons learned on our minds, and keep a watchful eye for new challenges to come.

Let’s welcome a new year by reflecting on the important lessons learned through this blog in 2022.

Phishing Attack Prevention

Phishing is a relatively low-tech attack that relies on deception and illusions. Be sure to learn how malicious actors sneak past your defenses and lure you into their trap.

Phishing starts with a spoof website–– a page operated by the hacker but designed to look exactly like a legitimate website, hoping an unsuspecting user won’t be able to tell the difference. Once on the phishing site, the user will be prompted to log in, answer a security challenge question, or provide some form of private data.

Suppose you bank with ACME Bank and you log in to online banking at acmebank.com. Hackers may set up spoof websites with similar URLs or ones that look legitimate, such as: acmebank.onlinebanking.com, www-acmebank.com, or even acme-bank.com. The site will exactly copy the design of the legitimate website, bearing the ACME Bank logo, using the same fonts, same stock images, and an identical layout. The victim will land on a login screen and enter their login credentials. Unfortunately, once they click that “login” button, it’s too late. Whether the victim is given a login error, redirected to the legitimate bank website or something else, the hacker now has their credentials, which the hacker can use to login to the real ACME Bank site and potentially transfer money to their own account. Even worse, with the average user’s tendency to re-use passwords, the hacker can gain access to the victim’s accounts on other websites and do further damage.

Read the full blog for details on how to protect yourself.

Protect Your Child’s Identity

We often forget to think about protecting our children’s identity and credit profile because we know children don’t apply for credit nor do they have their own money. But your child does have a social security number, and to a hacker, that’s a blank slate that often goes unchecked by its owner.

To hackers, child identity theft is a goldmine. The tablet is the modern pacifier. According to the American Academy of Pediatrics, “up to 75% of young children have their own tablets, and infants are estimated to start handling mobile devices during the first year of life.” Mobile apps, video games, and online educational resources often require an account –– which is sometimes linked to a credit card or bank account. This leaves hackers with lots of low-hanging fruit to target for account takeover and financial fraud. And not to mention, children have social security numbers too, making them prime targets for identity theft.

Be sure to read the full blog to understand how to protect your child’s identity and credit.

Mind Your Digital Exhaust

As we putter around the internet, our digital exhaust lingers in cyberspace. Unlike your car’s exhaust, your digital exhaust won’t dissipate on its own—either you have to clean up after yourself or hackers will use your own data against you.

How Does Digital Exhaust Occur?

We know our digital identity is made up of a large collection of data, but why is it on the internet in the first place? There are four main reasons.

  1.  Human Nature. As human beings, we like to share everything we do on the Internet.
  2. Data Leakages. Accidental publications of your data, due to misconfigurations and errors, by companies you have or currently engage with
  3.  Data Brokers.Their main business is to sell your data on the Internet, and most of them operate fully within the law!
  4.  Data Breaches.Although the companies you engage with make a concerted effort to safeguard your data, this information is valuable to hackers, and so data breaches happen frequently, exposing your personal information on the Dark Web.

Check out both part 1 and part 2 of this blog to learn about how you emit digital exhaust, what that means for you, and how you can protect yourself.

Data Breaches and Dependable Dark Web Alerts

If you use the internet with any frequency, your data will eventually wind up exposed to hackers for no fault of your own. Data breaches expose billions of records containing PII and credentials and the best way to defend against it is to remain informed of your data’s exposure. But if you’re inundated with alerts because your identity monitoring provider can’t differentiate between fabricated data and a critical alert, you may stop paying attention.

The truth is, your PII is very valuable to malicious actors, and despite considerable efforts to keep your personal information private, organizations of all sizes are frequently targeted and infiltrated by hackers. And unfortunately, some organizations have less-than-mature security and privacy practices, and inadvertently expose your data either via misconfigured software or careless security practice, or distribution to an unintended recipient.

You’ve probably heard about Identity Theft Protection services that monitor the deep and dark web for your exposed information. Subscribing to such a service is a great way to protect yourself from becoming a victim of cybercrime, but not all deep and dark web monitoring service providers are created equally. The steps a provider takes between data breach and alert delivery make a big difference in the quality of the result.

Continue reading to learn how to bolster your dark web monitoring offering with dependable data.

Happy New Year

On behalf of the Constella Intelligence team, we wish you and yours a wonderful holiday season and New Year. May your 2023 be free of security incidents, data breaches and account takeovers; full of good health, happiness and fun instead!


Twitter


Linkedin

Keon Ramezani headshot

Keon Ramezani
Sales Engineer


Facebook


Twitter


Youtube


Linkedin