In its latest report, ‘The Growing Threat From Infostealers’, the Secureworks Counter Threat Unit (CTU) has revealed a thriving infostealer market that serves as a key enabler for the most damaging forms of cyber crime such as ransomware attacks.
Infostealer malware, which consists of code that infects devices without the user’s knowledge and steals data, remains widely available to buy through underground forums and marketplaces, with the volume of logs, or collections of stolen data, available for sale increasing at alarming rates. On the Russian Market alone, the overall growth was 670% between June 2021 and May 2023.
Don Smith, Vice President, Secureworks CTU, says, “Infostealers are a natural choice for cyber criminals who are looking to rapidly gain access to businesses and then monetise that access.
“They are readily available for purchase and within as little as 60 seconds, generate an immediate result in the form of stolen credentials and other sensitive information.
“However, what has really changed the game, as far as infostealers are concerned, is improvements in the various ways that criminals use to trick users into installing them, such as fake messaging apps and cloned websites.
“That, coupled with the development of dedicated marketplaces for the sale and purchase of this stolen data, makes it even harder for victims to detect and remove infostealers.”
Key report highlights:
Secureworks researchers analysed the latest trends in the underground infostealer market, including how this type of malware is becoming more sophisticated and difficult to detect, posing a challenge for defenders of corporate networks.
Key findings include:
- The number of infostealer logs for sale on underground forums continues to increase over time. On Russian Market alone, the number of logs for sale increased by 150% in less than nine months, from two million on a single day in June 2022 to over five million on a single day in late February 2023. In a period of nearly 2 years (measured on a single day in June 2021 and single day in May 2023) the overall growth rate for the number of logs for sale on Russian Market was 670%.
- Russian Market remains the top seller for infostealer logs. At the time of this report, Russian Market offers five million logs for sale which is around ten times more that its nearest forum rival 2easy. Russian Market is well-established among Russian cyber criminals and used extensively by threat actors worldwide. Russian Market recently added logs from three new stealers, which suggests that the site is actively adapting to the ever-changing e-crime landscape.
- Raccoon, Vidar and Redline continue to be among the top three infostealer logs for sale. On a single day in February, the number of logs, or data sets of stolen credentials, among these popular infostealers on Russian Market for sale were: Raccoon: 2,114,549; Vidar: 1,816, 800; Redline: 1,415,458.
- Recent law enforcement action against Genesis Market and Raid Forums has impacted cyber criminals’ behaviour. Telegram has been a beneficiary of this, with more buying and selling of logs for popular stealers such as RedLine, Anubis, SpiderMan and Oski Stealer shifting to dedicated Telegram channels. Despite the arrests of multiple users and the takedown of 11 domains associated with Genesis Market, the Tor site remains operational with logs still available for sale. However, activity on the marketplace has slowed, as criminals have begun discussing the situation on underground forums, expressing doubts about the marketplace’s trustworthiness.
- A growing market has emerged to meet the demand for after-action tools that help with log parsing, a manual and challenging task often left for more experienced cyber criminals. As the number of infostealers and available logs increases, it is anticipated that these tools will continue to become more popular and help to lower the bar for entry.
Smith continues, “What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially lucrative for relatively low skilled threat actors to get involved. Coordinated global action by law enforcement is having some impact, but cyber criminals are adept at reshaping their routes to market.
“Ensuring that you implement multi-factor authentication to minimise the damage caused by the theft of credentials, being careful about who can install third-party software and where it is downloaded from, and implementing comprehensive monitoring across host, network and cloud are all key aspects of a successful defence against the threat of infostealers.”
Infostealers can easily be installed on a computer or device via phishing, infected websites, malicious software downloads and Google ads, the researchers state. A log represents the complete collection of assets that can be stolen from a victim’s endpoint, from cookies through to stored credentials.
In 2022, stolen credentials accounted for almost one in ten of the incident response engagements Secureworks was involved in and from April 2022 to April 2023, were the initial access vector (IAV) for over a third (34 per cent) of ransomware engagements.