Blog

What is InfoStealer Malware and How Does It Work?

Cyberattacks are not random but rather follow a set of methodical and somewhat tactics and techniques. The Cyber Kill Chain, developed by Lockheed Martin, details the sequential phases of a cyber attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Attacker tactics and techniques can be mapped using models such as the MITRE ATT&CK framework. 

Following these known strategies, after gaining unauthorized initial access, the installation phase allows the attacker to establish a foothold, and through command and control (C2), they maintain ongoing access to the compromised environment.

During these middle stages InfoStealer malware often comes into play. InfoStealer malware is a type of malicious software specifically designed to extract sensitive information from an infected system. The stolen information can be leveraged to extort victims, threatening to release the data unless a ransom is paid, or sold on the blackmarket to other organized criminal organizations.  Furthermore, if the stolen information contains the victim's credentials such as username, passwords, or private keys, the attacker can use them to compromise other systems, furthering their attack. 

In this article we will provide a comprehensive review of InfoStealer malware, what information it targets, how it operates, and list the most prolific InfoStealer malware strains. By understanding the role of InfoStealer malware organizations can better prepare and respond to the intricate landscape of cyber threats they face today.

What is InfoStealer Malware?

InfoStealer malware, as its name suggests, is a type of malicious software designed specifically to gather sensitive information from infected systems. This category of malware targets personal, financial, and business data, which can include passwords, credit card numbers, browsing history, and other valuable information. The ultimate goal of InfoStealers is to transmit this stolen data to cybercriminals who can use it for financial gain, identity theft, or further malicious activities.

InfoStealers often enter systems through phishing emails, malicious attachments, or compromised websites. Once installed, they can operate quietly in the background, making them particularly hard to detect. They may also employ various techniques to avoid detection, maintain persistence, find other valuable targets on a network, and allow attackers to issue commands remotely. The most sophisticated InfoStealers are modular; they can import specific payloads after scanning the environment for potential sources of valuable information. 

How Do InfoStealers Work?

InfoStealer malware employs a variety of techniques to target and extract specific types of data from infected systems. Each strain of malware that is classified as a InfoStealer has different capabilities ranging from simple scripts to sophisticated modular malware. It's also important to remember that data can be stolen from a system using native built-in OS tooling known as a Living Off The Land (LOTL) attack.  

Each method discussed below targets specific types of data or input-output peripherals. Each method also leverages unique vulnerabilities associated with how that data is used, stored, and transmitted. The diversity of these techniques underscores the necessity for comprehensive security measures that protect not just against one type of threat but a broad array of infiltration strategies.

Here are some ways that InfoStealer malware operates:

  • Keylogging: One of the most common tactics, keylogging involves recording keystrokes made by a user. By capturing everything typed, attackers can later filter out passwords, credit card details, and other sensitive personal information

  • Form Grabbing: This technique is used to intercept data submitted in forms on web pages before it is encrypted by the browser. It's particularly effective for stealing login credentials, payment information, and other data entered on websites

  • Clipboard Hijacking: InfoStealers can monitor and modify the clipboard content on an infected device. When a user copies data such as account numbers or passwords, the malware replaces or steals this information. This attack technique can even steal usernames and passwords as they are auto-filled by a password manager

  • Screen Capturing: By taking screenshots of the user’s screen at critical moments—such as while entering credentials or viewing personal information—this method can bypass text-based data extraction limitations, capturing data displayed on the screen in any form

  • Browser Session Hijacking: This method involves stealing cookies and session tokens from a browser's cached memory which can allow cybercriminals to impersonate the victim's online session, gaining unauthorized access to online accounts without needing a username and password

  • Credential Dumping: This method extracts data from user accounts stored on the system, such as login credentials saved in web browsers or other client software. If they are stored in encrypted format, attackers will attempt to crack them offline using specialized hardware and software tools

  • Man-in-the-Browser Attacks: These are more sophisticated attacks where the malware injects malicious code into the web browser itself. This allows the attacker to intercept and manipulate information in real-time as it is entered on secure websites

  • Email Harvesting: The malware searches through files and emails stored on the computer to collect email addresses and other contact information, which can be used for spamming or further phishing attacks

  • Crypto-Wallet Harvesting: Some InfoStealer malware can search known installation paths for common crypto-wallet software and attempt to steal private keys. Once in the attacker's possession these keys can be used to transfer the victim's cryptocurrency to attacker controlled accounts

The Most Prolific Strains of InfoStealer Malware

Estimating the exact number of InfoStealer malware strains is challenging due to the constantly evolving nature of malware and the frequent emergence of new variants. However, cybersecurity experts and researchers generally agree that there are hundreds, if not thousands, of different strains of InfoStealer malware in existence. This vast range includes everything from well-documented and widely recognized strains to more obscure or specialized ones that target specific geographic regions or sectors.

  • Zeus (Zbot): Perhaps the most infamous InfoStealer, Zeus primarily targets financial information. First identified in 2007, it has been responsible for numerous cybercrimes, including banking fraud and the formation of botnets. Zeus is known for its ability to elude detection by using stealth techniques and its capability to replicate and distribute itself

  • Ursnif (Gozi): Ursnif is another banking Trojan that has been active for over a decade. Ursnif is known for its sophisticated evasion techniques, modular design, and its ability to steal a wide variety of data types, including banking credentials and personal identifiable information (PII). Ursnif is typically spread through exploit kits and phishing emails

  • Agent Tesla: Agent Tesla is a sophisticated spyware that functions primarily as a keylogger and a remote access trojan (RAT). First identified around 2014, it is capable of monitoring and collecting the victim's keyboard inputs, system clipboard, taking screenshots, and exfiltrating credentials from a variety of software installed on the victim’s machine. Agent Tesla is often distributed via malicious email attachments, disguised as legitimate files or links that execute the malware upon opening

  • LokiBot: LokiBot, first detected in 2015, is an information stealer that targets multiple platforms to steal a variety of credentials such as passwords, cryptocurrency wallets, and other data. It also has modular functionalities to download and execute additional malicious payloads giving the attacker remote access. LokiBot is typically distributed through phishing emails, malicious software installers, and compromised websites

  • TrickBot: Originally identified in 2016, TrickBot has evolved from a banking trojan into a sophisticated multi-purpose malware capable of launching ransomware attacks and providing attackers with remote access to infected systems. TrickBot spreads through malspam campaigns and exploits vulnerabilities in network infrastructure. TrickBot is often considered one of the most sophisticated strains of malware with diverse capabilities

  • Raccoon Stealer: Raccoon Stealer is an information-stealing malware that emerged in 2019, known for its ease of use for low-skilled attackers, and its ability to extract a wide range of personal data. This malware steals credentials, web session cookies, and credit card data from browser caches, and searches for cryptocurrency wallets to extract private keys. Raccoon Stealer spreads via malicious email campaigns and exploit kits, leveraging its simplicity and effectiveness to appeal to a wide range of cybercriminals, including those with limited technical expertise

  • Redline Stealer: Redline Stealer, first observed in 2020, is a relatively new but rapidly popular malware designed to steal passwords, credit card information, and other sensitive data stored in web browsers. It can also collect details about the infected system’s environment in order to facilitate secondary attacks such as privilege escalation and maintaining persistence. Redline Stealer is typically distributed through phishing campaigns, malicious advertisements, and bundled with cracked software, highlighting the risks of downloading unverified software from the internet

Conclusion

InfoStealers represents a distinct type of malware, adept at extracting sensitive information from compromised systems, and plays a crucial role during the middle stages of a cyber attack—post-initial access. It targets a wide range of data, from personal and financial information to credentials that facilitate lateral movements within networks or enable extortion schemes.  Understanding the nature and function of InfoStealer malware is essential for organizations seeking to enhance their defensive strategies against an increasingly sophisticated array of cyber threats.

Looking for more deep-dives on topics related to InfoStealer malware and other cybersecurity news? Sign up for our informational zero-spam newsletter.

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.