CTU researchers have discovered that Infostealer malware remains widely available to buy through underground forums and marketplaces, with the volume of logs for sale, or collections of stolen data, increasing by 669.69% between June 2021 and May 2023.
Secureworks researchers analysed the latest trends in the underground infostealer market, finding:
- Recent forum takedowns are forcing criminals onto Telegram, but buyer beware as scammers fill the void: Following the shutdown of platforms such as RaidForums and Genesis cyber criminals are being forced into encrypted messaging services to help facilitate the infostealer marketplace. Like shady drug dealers, cybercriminals are now forced into using Telegram’s multi-platform messaging platform to advertise their services and sell products. Popular stealers such as RedLine, Anubis, SpiderMan and Oski Stealer have shifted to dedicated Telegram channels. However, without the established mechanisms for escrows, reviews and reputation scores buyers are at the mercy of scammers.
- State-sponsored groups are making use of infostealers: With infostealers able to discreetly exfiltrate sensitive data from targeted systems, state-sponsored groups are now using these to carry out cyberespionage operations. CTU analysis found that both Russian and Chinese sources were deploying infostealers to spy on political targets, and influence military operations.
- Ransomware infostealers are making use of Mastadon: CTU researchers observed the Vidar infostealer, which has been used to deploy ransomware, creating profiles on the networking platform to obtain and post C2 IP addresses. This is offering a way for malicious actors to further deploy ransomware and steal system data such as machine ID and sensitive data. With many users switching to Mastadon following Elon Musk’s Twitter takeover, this could be increasing the number of targets for attack.
- Cybercriminals can now pre-order stolen credentials from Russian Market: CTU researchers uncovered that users of Russian Market can now pre-order credentials, with buyers depositing $1,000 USD into the site’s escrow system and requesting credentials based on a domain name (from a specific organization) or a ‘mask’ (from a specific application). This could be paving the way for specific targeting of organizations and sectors, rather than relying just on opportunistic attacks.
- Underground marketplaces remain the Mos Eisley Cantina for malware: Underground forums are still acting as a shared space for threat actors to discuss ongoing projects, request new features, and provide malware reviews. They also offer a marketplace to advertise new and existing stealers. The CTU uncovered that forums such as the Russian Market, 2easy, and the Genesis Market – recently seized by the FBI – have provided a safe haven for cyber criminals and dedicated marketplace sell infostealers.