Infostealers playing important role in cybercrime system

Infostealer malware remains widely available.
According to the latest report from the Secureworks Counter Threat Unit, a thriving infostealer market is enabling the most damaging forms of cybercrime.

CTU researchers have discovered that Infostealer malware remains widely available to buy through underground forums and marketplaces, with the volume of logs for sale, or collections of stolen data, increasing by 669.69% between June 2021 and May 2023.

Secureworks researchers analysed the latest trends in the underground infostealer market, finding:

  • Recent forum takedowns are forcing criminals onto Telegram, but buyer beware as scammers fill the void: Following the shutdown of platforms such as RaidForums and Genesis cyber criminals are being forced into encrypted messaging services to help facilitate the infostealer marketplace. Like shady drug dealers, cybercriminals are now forced into using Telegram’s multi-platform messaging platform to advertise their services and sell products. Popular stealers such as RedLine, Anubis, SpiderMan and Oski Stealer have shifted to dedicated Telegram channels. However, without the established mechanisms for escrows, reviews and reputation scores buyers are at the mercy of scammers.   
  • State-sponsored groups are making use of infostealers: With infostealers able to discreetly exfiltrate sensitive data from targeted systems, state-sponsored groups are now using these to carry out cyberespionage operations. CTU analysis found that both Russian and Chinese sources were deploying infostealers to spy on political targets, and influence military operations.
  • Ransomware infostealers are making use of Mastadon: CTU researchers observed the Vidar infostealer, which has been used to deploy ransomware, creating profiles on the networking platform to obtain and post C2 IP addresses. This is offering a way for malicious actors to further deploy ransomware and steal system data such as machine ID and sensitive data. With many users switching to Mastadon following Elon Musk’s Twitter takeover, this could be increasing the number of targets for attack.
  • Cybercriminals can now pre-order stolen credentials from Russian Market: CTU researchers uncovered that users of Russian Market can now pre-order credentials, with buyers depositing $1,000 USD into the site’s escrow system and requesting credentials based on a domain name (from a specific organization) or a ‘mask’ (from a specific application). This could be paving the way for specific targeting of organizations and sectors, rather than relying just on opportunistic attacks.
  • Underground marketplaces remain the Mos Eisley Cantina for malware: Underground forums are still acting as a shared space for threat actors to discuss ongoing projects, request new features, and provide malware reviews. They also offer a marketplace to advertise new and existing stealers. The CTU uncovered that forums such as the Russian Market, 2easy, and the Genesis Market – recently seized by the FBI – have provided a safe haven for cyber criminals and dedicated marketplace sell infostealers.

Featured Articles

How Microsoft Is Helping Rural Hospitals Get Cyber Secure

Microsoft is giving rural hospitals a hand to help them get their cybersecurity up to snuff to keep them running amid the rising attacks on healthcare

SpiceRAT: Cisco Talo Sound Alarm Over New Trojan

Remote Access Trojans are resurfacing, and Cisco Talo shows they are doing so with increased sophistication

CrowdStrike & HPE: Unifying IT and Security for Secure AI

CrowdStrike and HPE are joining to integrate their Falcon platform and GreenLake cloud and OpsRamp AIOps to give an overview of AI infrastructure

Zscaler and NVIDIA Join to Upskill Zero Trust with Gen AI

Network Security

Gigamon Sound Alarm on Cloud Security as Unseen Attacks Soar

Cloud Security

Helping APAC Curb the Threat of Cyber Attacks

Hacking & Malware