The explosive growth of infostealer malware has been a major trend of the past four years. What even is an infostealer? Once they infect computers, they can steal information stored in the browser such as saved passwords, form fill data, and session cookies, then exfiltrate them to a dedicated C2 infrastructure.
The infostealer infects devices and steals the information stored in the browser, such as saved passwords. The stealer log references the stolen sensitive information, and threat actors sell them in dark web markets and prominent threat actor communities. Not only are stealer logs already a concerning external risk on their own, but they can also contain credentials for access to corporate IT environment, which security teams must prevent and remediate.
In our research on stealer logs, we’ve found there are about 3-10% of stealer logs with credentials to corporate SaaS applications.
Threat actors have various ways of exploiting stealer logs, and monitoring for them is an essential part of boosting your organization’s cybersecurity posture.
How Flare Addresses the Threat of Stealer Logs
How does Flare monitor for stealer logs?
Looking through illicit sources manually can be incredibly difficult, and searching for stealer logs relevant to your organization makes that search even more challenging.
Flare’s Threat Exposure Management (TEM) solution automatically monitors the clear & dark web to deliver prioritized actionable intelligence on external threats, including stealer logs.
We are tracking more than 65 million stealer logs with over 1.3 million new stealer logs per week.
To learn more about stealer logs and corporate access, read the report on Stealer Logs, Single Sign On, and the New Era of Corporate Cybercrime.
Stealer Log Landscape: Brief Overview
What are stealer logs?
Stealer logs are files created by infostealer malware that records sensitive information from a victim’s computer. This malware is designed to stealthily infiltrate a user’s system and log various types of personal and confidential data. The “logs” in this context refer to the records of the data that the malware has captured from the infected system. Common variants include RedLine, Aurora, Raccoon, Titan, and Vidar. One stealer log contains an average of 50+ active credentials to personal and corporate websites.
Why are stealer logs concerning?
Stealer logs are concerning because they contain a wealth of personal and sensitive information. This data can include even more than login credentials, such as: financial information, personal identification details, and more. The unauthorized access and potential misuse of this information pose significant privacy and security risks to individuals and organizations.
Stealer logs can be directly leveraged as the initial access point for ransomware. Initial access brokers can also buy stealer logs in bulk to best identify which could serve as the initial access into corporate IT environments.
According to our research on the healthcare sector, more than 50% of organizations in healthcare regardless of size had an infostealer infection leak credentials in the past six months, and 10% had multiple infostealer leaks.
What information do stealer logs capture?
- The web browser’s fingerprint (including all passwords and forms saved in the browser)
- Operating system information
- ISP information
- Cryptocurrency wallet logins
- Potentially confidential or sensitive files
What is the evolution of stealer logs?
The evolution of stealer logs mirrors the broader trends in malware development. Initially simple keyloggers, these tools have evolved into sophisticated software capable of bypassing advanced security measures. Modern stealer logs can now target specific applications, use advanced data exfiltration methods, and even include functionalities for spreading to other systems.
Where do threat actors buy and sell stealer logs?
Prominent threat actor communities and dark web forums and markets facilitate the sale of stealer logs. Threat actors profit off of or build up their reputation by distributing these stealer logs.
What is Infostealer Malware?
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
Information stealer malware, or infostealer malware, is a form of Remote Access Trojan, malware that collects and sends victim’s sensitive information to the malicious actor. Infostealer malware infect computers through social engineering methods such as phishing attacks and steal the browser fingerprint, which contains passwords saved to the browser along with form fill data. Infostealer variants include RedLine, Raccoon, Vidar, and more.
Threat actors sell infostealer malware with command and control infrastructure for as low as $100 per month, which is relatively inexpensive. This lowers the barrier for entry for cybercriminals.
Infostealer malware can be purchased for as cheap as $100 per month complete with command and control infrastructure, creating a low barrier of entry for threat actors.
Infostealer malware panels such as RedLine automatically parse logs and call out high-value credentials such as banking and financial services applications.
Why Do You Need to be Monitoring for Stealer Logs?
What are the risks associated with stealer logs?
The risks associated with stealer logs include identity theft, financial loss, unauthorized access to private and corporate networks, data breaches, and reputational damage.
Employees often save passwords to their browsers, which are highly susceptible to infostealer malware attacks. Initial access brokers target stealer logs with access to CRMs, RDP, VPNs, cloud hosting platforms, SaaS application access, and other corporate devices. They can exploit and expand access before reselling in dark web forums.
Threat actors highly value financial accounts, as they can directly steal from consumer accounts. According to our research, stealer logs with financial data sells for an average of $112 on Genesis Market, compared to the average of about $15 across all logs for sale.
The panels that the C2 infrastructure exfiltrates the stealer logs to make it easy to identify “high value logs.” These have active session cookies and credentials to corporate SaaS apps such as Okta, Jumpcloud, Auth0 etc.
How do cybercriminals use stealer logs?
Threat actors use stealer logs in several ways:
- The most direct use is to exploit the stolen information for financial gain, such as using stolen credit card details.
- They can also use the information to gain unauthorized access to other systems.
- Sell the information to other criminals.
Best Practices for Preventing, Detecting, and Remediating Stealer Logs
What are recommendations for mitigating risk from stealer logs?
Stealer logs provide a relatively easy way for cybercriminals to access corporate IT environments. Organizations can prevent, detect, and remediate stealer logs through implementing these measures:
- Password managers: Policies that encourage employees to not save their passwords in the browser eliminate a significant amount of risk.
- MFA: Multi-factor authentication adds another layer of security to corporate devices. Stealer logs can contain session cookies, but it’s possible they would not be fresh enough to use.
- Employee training: Cracked software downloads, malicious ads, and phishing attacks are the common methods for infostealer malware distribution. Employees are the first layer of defense against external risks, and providing training, especially additional training for users who fail the training will holistically improve the organization’s defenses.
- Personal Device Policies: Employees saving corporate credentials in the browser of their personal computer are a major risk factor. Strict policies on employees accessing corporate resources from their personal devices would greatly help with avoiding infostealer malware.
- Stealer Log Monitoring: Make sure your Continuous Threat Exposure Management plan includes monitoring for stealer logs across clear, deep, and dark web.
Monitoring for Stealer Logs with Flare
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically and constantly scans the clear & dark web and prominent threat actor communities to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to remediate risks from stealer logs and beyond.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.