Infostealers playing important role in cybercrime system

Infostealer malware remains widely available.
According to the latest report from the Secureworks Counter Threat Unit, a thriving infostealer market is enabling the most damaging forms of cybercrime.

CTU researchers have discovered that Infostealer malware remains widely available to buy through underground forums and marketplaces, with the volume of logs for sale, or collections of stolen data, increasing by 669.69% between June 2021 and May 2023.

Secureworks researchers analysed the latest trends in the underground infostealer market, finding:

  • Recent forum takedowns are forcing criminals onto Telegram, but buyer beware as scammers fill the void: Following the shutdown of platforms such as RaidForums and Genesis cyber criminals are being forced into encrypted messaging services to help facilitate the infostealer marketplace. Like shady drug dealers, cybercriminals are now forced into using Telegram’s multi-platform messaging platform to advertise their services and sell products. Popular stealers such as RedLine, Anubis, SpiderMan and Oski Stealer have shifted to dedicated Telegram channels. However, without the established mechanisms for escrows, reviews and reputation scores buyers are at the mercy of scammers.   
  • State-sponsored groups are making use of infostealers: With infostealers able to discreetly exfiltrate sensitive data from targeted systems, state-sponsored groups are now using these to carry out cyberespionage operations. CTU analysis found that both Russian and Chinese sources were deploying infostealers to spy on political targets, and influence military operations.
  • Ransomware infostealers are making use of Mastadon: CTU researchers observed the Vidar infostealer, which has been used to deploy ransomware, creating profiles on the networking platform to obtain and post C2 IP addresses. This is offering a way for malicious actors to further deploy ransomware and steal system data such as machine ID and sensitive data. With many users switching to Mastadon following Elon Musk’s Twitter takeover, this could be increasing the number of targets for attack.
  • Cybercriminals can now pre-order stolen credentials from Russian Market: CTU researchers uncovered that users of Russian Market can now pre-order credentials, with buyers depositing $1,000 USD into the site’s escrow system and requesting credentials based on a domain name (from a specific organization) or a ‘mask’ (from a specific application). This could be paving the way for specific targeting of organizations and sectors, rather than relying just on opportunistic attacks.
  • Underground marketplaces remain the Mos Eisley Cantina for malware: Underground forums are still acting as a shared space for threat actors to discuss ongoing projects, request new features, and provide malware reviews. They also offer a marketplace to advertise new and existing stealers. The CTU uncovered that forums such as the Russian Market, 2easy, and the Genesis Market – recently seized by the FBI – have provided a safe haven for cyber criminals and dedicated marketplace sell infostealers.
Share

Featured Articles

Trustwave Reveals the Financial Sector's Cyber Threats

Although it's not new to think that financial services organisations are prime targets for cybercriminals, the threat landscape they find themselves in is

TCS and Google Cloud Join for Solution to Secure the Cloud

TCS partners with Google Cloud to launch a range of AI-powered cybersecurity solutions to help businesses secure their clouds against advanced threats

Cybersecurity Conglomerate Reveals Threats Facing Consumers

Cybersecurity Conglomerate Gen quarterly report reveals shocking statistics like the fact that consumers are now increasingly at risk from Ransomware

Decoding the US' Most Misunderstood Data Security Terms

Cyber Security

Orange Cyberdefense's Wicus Ross Talks Cyber Extortion Trend

Hacking & Malware

Palo Alto Networks Buy IBM's QRadar Assets in Win for SIEM

Network Security