An infostealer is malware that infiltrates computers or devices to steal data. Spread via phishing emails or malicious links, infostealers raid the victim’s computer for login credentials, financial details, or other personally identifiable information (PII). Cybercriminals can then sell the stolen information on criminal forums or use it to commit hacking, theft, or fraud.
There are various types of infostealers, designed to steal different types of data.
Credential stealers
Credential stealers capture login information, such as usernames and passwords. They do this using methods including:
-
Keylogging to record users’ login credentials as the type them.
-
Form grabbing to intercept the data the users submit in online forms.
An example is the AZORult malware, also known as PuffStealer and Ruzalto. First identified in 2016, AZORult can steal various types of information including the victim’s browser history, cookies, login credentials, and cryptocurrency details.
Session stealers
Session stealers hijack the victim’s active sessions to take control of their accounts and systems. This allows the attacker to impersonate the victim to steal information, commit fraud, or launch further cyber attacks.
Able to bypass multi-factor authentication, session stealers work by intercepting the user’s session ID. They can do this using methods such as:
-
Cookie theft: Capturing session cookies from the victim’s browser.
-
Token hijacking: Stealing the authentication tokens that allow the victim to access applications.
-
Man-in-the-browser attacks: Creating and modifying transactions without the user knowing.
For example, Agent Tesla is a remote access trojan (RAT) sold as a service on the dark web. Targeting Microsoft Windows users, Agent Tesla can gather information including the victim’s keystrokes, browser history, and email or chat messages. It can also take screenshots.
File stealers
File stealers take specific files from the victim’s system, such as documents or spreadsheets. They operate by:
-
Directory traversal: Scanning and extracting files from specific directories.
-
Cloud integration: Accessing and downloading files from cloud storage services.
A recent example is the Elusive infostealer, which allows the attacker to steal photos from the victim’s device.
Clipboard stealers
Clipboard stealers allow the attacker to intercept or modify the data that the victim copies to their clipboard. The ways they do this include:
-
Continuous monitoring: Constantly tracking clipboard content in real time.
-
Trigger-based capture: Activating only when specific data types are copied.
Examples include TrickBot, designed to steal financial information such as the victim’s bank or credit card details. CryptoShuffler steals clipboard data to divert transfers of crypto currency from the victim’s wallet to the attacker’s wallet.
How Cybercheck can protect your organization
The market for stolen information moves exceptionally fast. Cybercriminals are working around the clock, and the credentials they’re stealing are typically active. New infostealer malware is emerging constantly and can often sidestep or deactivate anti-virus software and security systems.
As the threat from infostealers grows, dark web monitoring can be vital to keeping your organization safe.
At Cybercheck, we understand the evolving infostealer threat landscape. We provide comprehensive monitoring of malware-based information theft to alert you immediately if your data has been compromised.
