In today’s digital age, information is power. As organizations increasingly rely on digital data, the allure for cybercriminals to steal this data grows. One of the primary tools in their arsenal is the Infostealer malware.
This article delves into what Infostealer malware is, its role in cyber-attacks, the motivations behind its use, and how organizations can shield themselves from its malicious grasp.
Infostealer in Cyber Attacks
Infostealer malware is most often used in cyber-attacks by exploiting vulnerabilities in popular software applications or by tricking victims into clicking on malicious links or opening infected attachments. Once installed on a victim’s computer, infostealer malware can run in the background and collect sensitive data without the victim’s knowledge.
Infostealers play a pivotal role in cyber attacks. Once a system is compromised, the malware scours the system for valuable information. This can include:
- Passwords saved in web browsers.
- Financial data like credit card numbers.
- Personal identification information (PII) such as social security numbers.
- Business-related data like client lists, proprietary software, or trade secrets.
Infostealer logs typically contain the following:
- Usernames and passwords.
- Browsing history and cookies.
- System information like IP addresses and OS details.
- Personal data such as credit card numbers or social security numbers.
- Email contents and contacts.
Infostealers have been at the heart of numerous cyber-attacks for a long time.
In 2013, Target was hacked, and over 40 million credit card numbers and 70 million customer addresses were stolen. The attackers used a phishing attack to gain access to Target’s network and then used infostealer malware to steal customer data.
In 2018, Marriott was hacked, and over 500 million customer records were stolen. The attackers used a malicious attachment in an email to gain access to Marriott’s network and then used infostealer malware to steal customer data.
In 2020, SolarWinds was hacked, and attackers were able to insert malicious code into SolarWinds’ Orion software. This code was distributed to SolarWinds’ customers, including several US government agencies. The attackers used infostealer malware to steal sensitive data from the victims’ networks.
Fast forward to today, infostealers remain a popular attack method.
Why Do Threat Actors Use Infostealers?
The allure of Infostealers lies in their ability to provide:
- Monetary Gain: Stolen data, especially financial or personal, can be sold on the dark web.
- Espionage: Infostealers can gather intelligence for nation-states or rival businesses.
- Leverage for Further Attacks: Stolen data can facilitate more targeted and sophisticated attacks.
- Credential Stuffing: With stolen usernames and passwords, attackers can attempt to breach other accounts, banking on the fact that many people reuse passwords across multiple platforms.
Some of the most known threat actors that use infostealer malware include:
- APT27 is a Chinese state-sponsored threat actor linked to several high-profile cyber attacks, including the 2013 Target breach.
- Nobelium is a Russian state-sponsored threat actor that has been linked to the 2020 SolarWinds hack.
- Lazarus Group is a North Korean state-sponsored threat actor linked to several cyber attacks, including the 2018 Marriott breach.
- APT28 (Fancy Bear): This Russian hacking group has been linked to various cyber espionage campaigns, often deploying Infostealers.