Infostealers are first and foremost nothing more than malware. Infostealers can be small independent programs or part of complex malware. Their sole purpose is collecting "interesting" data - as inconspicuously as possible. Infostealers can take various forms. The well-known one is the small file installed somewhere on the PC. Another example is browser plugins, which are also capable of collecting certain data.
Why are Infostealers so dangerous?
They are so dangerous because they are relatively inconspicuous. Compared to many types of malware, Infostealers are small and unobtrusive. They don't have a wide range of complex functions. They can often be integrated into existing programs through supply chain attacks or other means. This makes finding and detecting Infostealers difficult. Not uncommonly, Infostealers remain undiscovered for months or years, constantly and usually very diligently collecting data.
How Infostealers work
Most Infostealers work very similarly. They have some basic functions:
-
Keylogger functionality:
They are able to record everything that is typed into the keyboard. -
Screenshot functionality:
They are able to take screenshots - usually this happens when certain activity is detected. -
Database functionality:
Various software stores valuable information in databases, often SQLite. Infostealers are able to find and copy these databases. -
Email access:
They are able to copy individual emails or entire mailboxes. -
Data exfiltration:
When interesting data is found, it is transmitted to the attacker - encrypted channels are often used here. Additional rules and creativity from the developers ensure that the data transmission is not easily noticeable to the user.
What data do Infostealers collect?
Specialized Infostealers often collect very specific data - such as Excel spreadsheets, Word documents. The context here is often industrial espionage. Credit card information or generally anything related to finances (logins, transaction details, TANs, ...) are also popular targets.
Thanks to keyword and database functionality, most keyloggers can filter out login credentials for specific services. Extracting sessions and cookies is also a popular method to later access accounts. Usually, entire browser databases are sent to the attackers.
Rare but well-known are Infostealers that specialize in compromising photos and videos. The background here is often some form of blackmail.
How do Infostealers spread?
The developers of such malware are often very creative and use, for example, Malware as a Service/Cybercrime as a Service to distribute their small software packages to victims. Here, the Infostealer is downloaded, for example, because the victim is already infected with some other malware. Automated and large-scale phishing attacks that get users to install a specific program are also common. Less common are supply chain attacks where the Infostealer is built into existing software - but they do occur. In the end, it's possible that you install known and supposedly trustworthy software and receive an Infostealer along with it. This explains the high prevalence of Infostealers.
What happens to the stolen data?
It depends on what kind of data was stolen. Usually, they are processed and/or viewed somewhere and then exploited accordingly. Often you can find such data in the Darknet and can buy it. When it comes to browser log files and session data, you don't even need to go to the Darknet nowadays. Telegram is a good source to get this data sometimes for free. The Github Repository deepdarkCTI provides a broad overview of how to get this data. The title of this repository is "Collection of Cyber Threat Intelligence sources from the Deep and Dark Web" - you can get more information here. When it comes to logs, for example, you just need to subscribe to certain Telegram channels. There you are either asked to buy data or sometimes get it for free. In the latter case, it's usually different data - such as raw data. This means that you usually still need to process this data.
In the context of Ethical Hacking, Penetration Tests and Bug Bounty Hunting (as far as the Scope allows), such data is purchased for legal purposes. The appropriate term here is Threat Intelligence. The attempt is to view this data faster than Blackhats do and thus warn the affected parties.
How can you protect yourself from Infostealers?
Be skeptical. You should question every email, every message, every program you receive or are supposed to install. This is easier written than implemented in reality - especially for laypeople. Phishing exercises are certainly a good start to understand the topic of phishing and develop a certain sense for it. Companies should have software solutions that can prevent Infostealers from being installed (this is also easier said than done). Antivirus software is mandatory. Good network segmentation and sensibly configured firewalls can often prevent data from being exfiltrated. And as always: keep systems up to date, keep programs up to date!
Even if it's not very practical, using a separate notebook for sensitive data and logins is worthwhile - especially for private individuals. This notebook should not have any email traffic, no software should be installed - except for a browser, an antivirus program, and ideally a proper password manager. We are aware that something like this is difficult to implement in practice - especially in companies - but it is a good approach to protect against Infostealers.
Thank you for your feedback! We will review it and optimize this content.
