A new study from Uptycs has uncovered an increase in the distribution of information stealing malware. Incidents have more than doubled in Q1 2023, indicating a disturbing trend that threatens global organizations.
According to the new Uptycs whitepaper, Detecting the Silent Threat: 'Stealers are Organization Killers' (gated link), a variety of new info stealers have emerged this year, preying on Windows, Linux, and macOS systems. The 17-page report has a wealth of information, including the impact of stealers, the lifecycle of a stealer, the workflow of a stealer, and statistics around the stealers trending in 2023.
Some highlights include:
- Stealers are primarily sold on cybercrime forums. Their logs are sold on instant messaging platforms such as Telegram and Discord. Stealer and log prices generally range between $200-300 a month, or around $1,000 for a lifetime subscription.
- Newly discovered stealer families include modules that specifically steal logs from MFA applications, like the Rhadamanthys malware. This demonstrates a focus on collecting data from multi-factor authentication tools.
- Last year was bountiful for stealers; they continued to evolve as they exploited popular vulnerabilities from prior years to infiltrate targeted devices. Examining the dark web reveals that infostealer malware has become increasingly widespread. With a 56% share, RedLine has become the prominent stealer in the marketplace, followed by Raccoon (15%) and RecordBreaker stealer. Newcomer Meta (11%), Vidar (10%), Cryptbot, and AZORult are additional information stealers used in 2022.
- This year, however, there are multiple new info stealers arising that target all three platforms: Windows, Linux, and macOS. Most of these malware authors are using Telegram as a platform for command and control and data exfiltration.
Cybersecurity vendor experts provided their commentary on the findings:
Zane Bond, Head of Product at Keeper Security, said:
"The first phase of any breach begins with an external facing risk, such as a software vulnerability or employee who falls victim to phishing. Individuals and organizations are constantly exposed to these threats, but what happens after that first step is more challenging for the attacker.
Information stealers make it easier for these initial attacks to continue into a successful breach. An infostealer can automate many steps in the reconnaissance phase of an attack, allowing less-technical threat actors to spend a small amount of money to get deeper access inside a network or organization.
When Metasploit was first released, the cybersecurity industry had similar interest, because now, a complete newbie could run an automatically-generated malicious executable to gain full access. This allowed non-nation state, non-organized crime actors to up their game and reduce the time needed to evaluate if a target had what they wanted.
Adversary tools will continue to evolve, just as defensive tools do. We're in an arms race against cybercriminals, and this report provides a view into how the other side is doing. They have easy-to-use tools that anyone with a credit card can buy and start using without much technical knowledge. Dark web tools even have tech support teams and friendly customer service reps that help bad actors along the way, with reviews and ratings, and more professional websites than in the past."
Mike Parkin, Senior Technical Engineer at Vulcan Cyber, said:
"There's no doubt we're seeing more information stealing malware, but there's been an uptick in cybercriminal activity overall. Whether this rise is part of the overall trend, a fluctuation relative to other malware activity like ransomware and spyware, or a genuine increase in this specific threat, is hard to say without more research.
It's always hard to predict how malware will evolve over time, however, it's a safe bet that attacks on the users themselves will remain a priority. Historically, user errors have been more of a risk than technical issues. Zero-Day attacks get the headlines when they happen, but users falling for phishing attacks or other social engineering attacks happen every day without fail.
Remote work over the past few years has blurred the lines between the organization environment and the home environment to the point where it can be hard to define. That in turn has made it more difficult to control both the environment and who has access to it. When users can be working from anywhere, threats can also appear from anywhere, and security teams can find it very hard to even identify the risks, let alone deal with them effectively."
The Uptycs reports concludes:
"Stealers are able to gather a wide variety of sensitive data, which threat actors might then sell or employ in further attacks. They are often spread by malicious advertising, spam, and compromised accounts.
The probability of infection and attack severity can be decreased by:
• Turning on multi-factor authentication (MFA) for all corporate and personal accounts
• Regularly changing account passwords
• Using complex passwords (e.g., a combination of uppercase/lowercase, numbers, and symbols)
• Using a unique password for each website. If attackers obtain your login credentials from one, they'll attempt to use them on several other well-known websites, including social media, banking, and online stores.
• Being cautious when clicking suspicious links
• Ensuring all software and browsers are always kept updated"
