An Infostealer Epidemic Is Causing Global Chaos: Here’s How to Tackle It

Matt Ellison explains how infostealer malware is fueling the cybercrime economy, and how CISOs can respond

Last year in the US alone there were more than 1.7 billion data breach notifications sent out to victims. At least two-thirds of these, and probably more, were the result of infostealer malware. How do we know this? Because it’s been assessed that several “mega breaches” of corporate data stored in one of the leading data lakes last year were made possible by credentials harvested through infostealers.

This is just the latest, high-profile example of a worrying trend. Infostealers are feeding an insatiable cybercrime appetite for sensitive corporate data. Tackling this cyber-epidemic will require a renewed focus on people, process and technology.

What they are and how they work

Infostealer malware does what it says on the tin. Whether by keylogging, copying clipboard contents, or searching through file systems, password managers, crypto wallets and other data stores, it seeks out sensitive info. Then it sends it to the digital thief’s command-and-control (C&C) server.

It’s typically spread via malicious phishing links or legitimate-seeming file downloads. Social engineering plays a key role here. It could be a too-good-to-be-true crypto offer disseminated via email or social media. Or a piece of cracked software or pirated game. Or perhaps even hidden in fake meeting software or YouTube video descriptions.

“Once they have corporate credentials, threat actors can waltz past enterprise IT defences, masquerading as legitimate users.” Matt Ellison

Threat actors may also use malicious ads and/or elevate their sites’ search rankings by SEO poisoning to get the malware in front of as many potential victims as possible. The idea is usually to induce an emotional response which will cause the end user to act more impulsively than usual. Yet whatever technique is used, infostealers will bypass most AV checks because the victim has unwittingly given permission for the malware to run. An attack can be over and done in seconds.

Fuelling the underground economy

At a time when hybrid working is widespread, this is a problem for companies, as users may be more likely to do something risky when logging on at home. The increasingly blurred lines between personal and corporate device use mean work logins and data are at greater risk. Most IT leaders are worried about employees letting others use work devices and downloading unapproved software.

To make matters worse, infostealers are increasingly accessible to cybercriminals on the dark web, via pre-packaged services. This lowers the barrier to entry for the bad guys, and means that even when law enforcement is able to break one of the malware-as-a service models, there are always more waiting in the wings. Once stolen, data is fed back into the same cybercrime economy and traded on underground marketplaces. Some even offer log parsing services to help threat actors extract data from raw logs, for use or resale.

What’s at risk? Once they have corporate credentials, threat actors can waltz past enterprise IT defences, masquerading as legitimate users. The end goal could be anything from corporate espionage to ransomware, and even geopolitically driven objectives. Often the infostealer is the initial access gateway to something far more significant.

Time for action

The only way to tackle the infostealer threat is for organisations across the globe to improve baseline cybersecurity. This means going beyond traditional AV. Malware developers have put extensive effort into their tools being identified as legitimate software, and use many techniques to guard against AV tools using hash matches and the like to identify their software as malicious. What’s more, actually getting infostealer samples to analyse can be a challenge.

“The only way to tackle the infostealer threat is for organisations across the globe to improve baseline cybersecurity.” Matt Ellison

So where does that leave CISOs? First, they should find ways to block installs of non-approved software, or methods to unpack and analyse downloads outside of relying on AV – such as via YARA techniques. Network detection tools can be helpful here, by providing more effective analysis of infostealer files and blocking visits to risky websites. Meanwhile, SSL analysis can help to flag suspicious-looking outbound communications with possible C&C servers.

Next must come cyber-hygiene best practices, such as multi-factor authentication (MFA), which could have prevented more than 1.2 billion of those breach notifications last year. And penetration testing, including phishing and social engineering exercises. In fact, the biggest single impact CISOs can make over and above security tools is user education – especially in hybrid working and BYOD environments. Ensuring users understand the threat and consider carefully what they may be installing is essential.

Finally, take a Zero Trust stance by assuming compromise, and invest in services to scour the dark web for signs that data and credentials may have been stolen.

Not all of this will necessarily be easy. But by forcing threat actors to look for other ways to steal data, we might finally be able to subdue the infostealer marketplace. That alone would count as a major victory.