Author: Eric Clay
Breached identities facilitated by infostealer malware represent one of the most significant threats to corporate information security programs in 2024. The first half of this article will deal with “what is an infostealer,” so if you are already familiar with infostealers, feel free to skip directly to the following section.
Infostealer malware is a type of remote access trojan (RAT) that infects a user and exfiltrates:
- Credentials saved in any browsers found on the computer
- Session cookies
- Browser history
- Crypto wallet data
- Screenshot of the victim’s screen
- Host data
There are dozens of direct infostealer variants, and many other malware variants that may contain some info stealing capabilities. Once a user has been infected, all of this data is packaged up and sent to command and control (C2) infrastructure, where threat actors often leverage easy to use access such as bank accounts with active session cookies and crypto wallets to quickly monetize access.
In many cases, the threat actors launching infections are not the ones actively utilizing credentials and other stolen data, but instead monetize breached identities by distributing them on Telegram channels. Actors will operate a public Telegram channel that is free and open to all users where they distribute older logs as a “sample” of the value they can provide. They then sell access to private channels for $200 to $500 per month where fresher logs are provided.
How Infections Happen
Reviewing infostealer screenshots provides enormous insight into where users are getting infected. A large proportion of infections come from users downloading cracked software, but many infections also occur as a result of malicious advertising (malvertising), fake “Windows update” scams, and “free gift card” scams.
“Free gift card” scam
One extremely common source of infections comes from “repackaged games,” which are compressed versions of video games that have been altered to reduce their file size without affecting the game’s core content or functionality. The process typically involves compressing the game’s files, removing non-essential components (like certain languages, high-definition videos, or unnecessary files), and sometimes integrating updates or DLCs directly into the game. Repackers can add malicious packages, such as infostealers, during this process.
Victims are often prompted to disable antivirus software after downloading an infostealer infected package, although many infostealer variants can bypass certain antivirus features. On the right, you can see a real victim screenshot where the user is being prompted by the malware to disable antivirus in order to complete an installation. It can also be expected by a victim to see the antivirus react as is sometimes the case with software cracks.
Prompt to disable antivirus
Unlike many other variants of malware, infostealers don’t require local administrative privileges. This makes them particularly pernicious as they require even less changes from the user to successfully execute.
Threat Actors’ Use of Infostealers
Most threat actors are not targeting corporations but are instead looking to make an easy few dollars by breaking into bank accounts, stealing from crypto wallets, or ordering from compromised Amazon or other e-commerce accounts. Indeed, almost all infostealers specifically target session cookies, threat actors can often bypass MFA controls with high session cookie TTL settings, creating an additional value proposition compared to traditional password dumps.
An infostealer log structure
In many cases, threat actors also value commonly found credentials to monthly paid applications that can be utilized without the victim noticing, such as Netflix, NordVPN, Hulu, Steam, and other streaming, VPN, or gaming applications. In some cases, we’ve actually seen infostealer backends specifically call out these “high value” credentials in order to make it easier for threat actors to identify easy opportunities for account takeover.
Infostealers and Corporate Access
Just because the main and most common infostealer use-case is around personal credentials doesn’t mean that threat actors don’t also work to identify valuable corporate credentials . We’ve seen specific instances of initial access brokers (a specific type of threat actor that compromises companies and then sells the access to other threat actors) buying hundreds of thousands of stealer logs in order to identify corporate access credentials.
To conduct this research, we identified 50 recent companies that had suffered a data breach from publicly available information (we are not publishing the list to avoid naming and shaming). We then searched Flare’s stealer log database to identify two specific data points:
- Percentage of companies with corporate credentials leaked: These were organizations that had at least one corporate email (@companyname.com) found in a stealer log at any point since Flare began collecting.
- Percentage of companies with corporate credentials leaked within six months of a breach: This was the percentage of organizations that had a stealer log detected within 6 months before or after a breach (so a one-year total period).
Overall, we found that:
- 90% (45/50) breached companies had previous corporate credentials leaked in a stealer log.
- 78% (39/50) breached companies had corporate credentials leaked in a stealer log within 6 months before or after the breach.
Next, we wanted to understand how this compares to similar companies that did not suffer a breach. To do this, we manually picked 50 “sister companies” that resemble the breached companies in headcount, revenue, and industry.
We took our control set of “sister companies” and evaluated them against the same metrics. Since these companies did not have a reported breach, we instead evaluated whether they had seen a stealer log compromise in the past year.
- 76% (38/50) of sister companies (organizations that weren’t breached) had a corporate stealer log compromise at any point.
- 68% (34/50) of sister companies that had not suffered a breach set had a stealer log with compromised employee credentials in the past 12 months.
It’s worth noting that, first, these numbers are exceptionally high. Out of the total data set, 83% of companies surveyed across all sizes and industries had corporate credentials found, including companies with and without a reported breach. Notably, this is considerably higher than research conducted last year, which found that 19.6% of healthcare organizations had compromised corporate credentials stolen through infostealer malware.
When looking at compromised corporate credentials, we were specifically searching for compromised email accounts within the log. As a result, we excluded institutions of higher education and some telecom providers where it’s common for consumers to use the organization’s domain as an email address. In the corporate logs we reviewed, we identified numerous high-criticality credentials, including:
- login.microsoft.com
- companyname.slack.com
- companyname.okta.com
- sso.companyname.com
- adfs.companyname.com
In many cases a single user had access to more than a dozen corporate credentials spanning SaaS applications, internal technology systems, and other mission critical corporate information technologies.
Infostealers: An Increasing Risk
As previously discussed, threat actors are not launching mass infostealer attacks specifically to gather corporate credentials. Instead, the theft of corporate credentials can be seen as a useful and valuable byproduct of the influx of normal consumer credentials. However, there is extensive evidence that ransomware groups, initial access brokers, and other actors are combing through infostealers to identify corporate access.
If the rise of infostealer malware were taken as a singular event, it would likely be considered the largest breach in history. While other breaches have contained more individual records, such as the Equifax breach, which contained an estimated 147 million records including Social Security numbers, names, and addresses, infostealers contain far more than just that. Stealer logs can include all of that, as well as browser history, saved credentials, and many personal details about an individual. We process on average 500,000 unique stealer logs per week, and each log has thousands to hundreds of thousands of unique data points about a single individual or family.
Recommendations
We recommend that organizations immediately begin monitoring for infostealer malware infections to identify if corporate credentials have been compromised in an infostealer infection. Additionally we recommend:
- Restricting download privileges: Limit the ability to download and install software to a select group of users. Implement application whitelisting to prevent unauthorized software, which is often a source of infostealer infections.
- Don’t share your corporate computer: Many infections happen as a result of sharing work computers with children and spouses.
- Don’t access illegal content: Stolen and “repackaged” applications such as cracked Adobe products, games, and other stolen software. This is where a plurality of infections happen.
- Disabling macros by default: Ensure that macros are disabled by default in all Office applications, as infostealers can be delivered through malicious documents. Educate users on the dangers of enabling macros from untrusted sources.
- Regularly Updating and Patching Software: Keep all software, including browsers and plugins, up to date with the latest patches.
- Monitoring Browser Extensions: Restrict the installation of browser extensions, which can be used to deliver infostealers. Regularly audit installed extensions and remove any that are not approved or necessary for business operations.
Stealer Logs and Flare
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.