In its latest report “The Growing Threat From Infostealers,” the Secureworks Counter Threat Unit (CTU) revealed a thriving “infostealer” market that serves as a key enabler for the most damaging forms of cybercrime such as ransomware attacks.
Infostealer malware, which consists of code that infects devices without the user’s knowledge and steals data, remains available to purchase through underground forums and marketplaces, with the volume of logs, or collections of stolen data, available for sale increasing at alarming rates.
“Infostealers are a natural choice for cybercriminals who are looking to rapidly gain access to businesses and then monetize that access,” said Don Smith, VP of Secureworks CTU. “They are readily available for purchase, and within as little as 60 seconds generate an immediate result in the form of stolen credentials and other sensitive information.
“However, what has really changed the game, as far as infostealers are concerned, is improvements in the various ways that criminals use to trick users into installing them,” Smith continued. “That, coupled with the development of dedicated marketplaces for the sale and purchase of this stolen data, has really upped the ante.”
Secureworks researchers analyzed the latest trends in the underground infostealer market, including how this malware is becoming more sophisticated and difficult to detect, posing a challenge for defenders of corporate networks. Key findings include:
- The number of infostealer logs for sale on underground forums continues to increase over time. On Russian Market alone, the number of logs for sale increased by 150 percent in less than nine months, from 2 million on a single day in June 2022 to more than 5 million on a single day in late February 2023.
- Russian Market remains the top seller for infostealer logs. At the time of this report, Russian Market offers 5 million logs for sale, which is around ten times more that its nearest forum rival 2easy.
- Raccoon, Vidar and Redline continue to be among the top three infostealer logs for sale. On a single day in February, the number of logs, or data sets of stolen credentials, among these infostealers on Russian Market for sale were:
- Raccoon: 2,114,549
- Vidar: 1,816, 800
- Redline: 1,415,458
- Recent law enforcement action against Genesis Market and Raid Forums has impacted cybercriminals’ behaviour. Telegram has been a beneficiary of this, with more buying and selling of logs for popular stealers such as RedLine, Anubis, SpiderMan and Oski Stealer shifting to dedicated Telegram channels.
- A growing market has emerged to meet the demand for after-action tools that help with log parsing, a manual and challenging task often left for more experienced cybercriminals.
Much like the general cybercrime ecosystem, the successful development and deployment of infostealers relies on people with a broad range of skills, roles and responsibilities. The rise of malware-as-a-service has fostered innovation among developers to improve their products and appeal to a wider range of customers.
For example, Russian Market now offers users the option to preorder stolen credentials for a specific organization, business or application, and all that is required is $1,000 deposit into the site escrow system. The pre-order service comes with no guarantees, but it enables cybercriminals to graduate from being opportunistic to targeted.
Infostealers can be installed easilyon a computer or device via phishing, infected websites, malicious software downloads and Google ads. A log represents the complete collection of assets that can be stolen from a victims endpoint, from cookies through to stored credentials.
In 2022, stolen credentials accounted for almost one in ten of the incident response engagements Secureworks was involved in and from April 2022 to April 2023, were the initial access vector (IAV) for over a third (34 percent) of ransomware engagements.
