Infostealers (RedLine, Raccoon, Vidar, etc.)
Infostealers (aka info stealers, info-stealers, information stealers, and stealers) are malware that exfiltrate data, especially credentials, from compromised devices. They’re available as malware-as-a-service (MaaS) on dark web markets for as little as $50–300/month, enabling unsophisticated threat actors to deploy them.
What Infostealers Steal
Infostealers steal usernames, passwords, names, email addresses, phone numbers, physical addresses, DOBs, cookies, tokens (including MFA tokens), session IDs, financial data such as credit card details, cryptocurrency, location data, clipboard data, information about users, and system information (information about hardware, OS, and other software).
The malware can extract a variety of data from browsers, including saved passwords, cookies, autofill data (including credit card details), browsing history, and bookmarks.
The malware can extract data from web browsers, password managers, email, messengers, VPN clients, FTP clients, cryptocurrency wallets, social media, and gaming software.
There are several techniques infostealers use to capture data, including extracting credentials from cookies and other parts of the system, keylogging, extracting data from open windows, hooking browsers and other applications to extract typed credentials, and injecting scripts into webpages to grab typed data.
Infostealers can also capture screenshots, and audio, photos, or video from connected microphones and cameras.
After infostealers collect this data, they send it to their operators, directly to a C2 server or indirectly, such as through Telegram, Discord, or email.
In addition to exfiltrating data, infostealers can be used for remote control, performing DDoS attacks, mining cryptocurrency, and loading additional malware.
How Stolen Data is Used
Infostealer operators are usually financially motivated. They can use the stolen data themselves, to commit fraud or access networks, or they can sell the data to others via the dark web, Telegram, or other channels.
Buyers who purchase the stolen data may use it for fraud, including applying for credit cards or loans, purchasing items, or filing health insurance claims.
Buyers also use credentials to access accounts and services. They can use stolen cookies and tokens to access resources without needing to provide passwords or MFA tokens.
Infostealers can steal information about networks and systems, which threat actors can use to move laterally, escalate permissions, and deploy additional malware within networks.
How Infostealers are Delivered
Infostealers are often hidden in software, making them Trojans. They can be hidden in pirated software (like many other forms of malware), or disguised as legitimate software, such as browser extensions.
To get users to download the infected software, infostealer operators have used SEO manipulation and poisoning to push infected webpages up in search results. They’ve also used malvertising (malicious web ads) (on Google, Facebook, etc.) to lure users.
Infostealers have been delivered in spam and phishing emails. Those emails can include links to phishing pages that prompt users to download infected software, or include infected attachments (such as Word or Excel files).
Infostealers have even been delivered as drive-by downloads, in which the malware is installed by simply visiting a webpage or viewing an ad, without a user clicking anything on the page.
Infostealers are designed to evade detection. Some use obfuscation techniques, and others even remove security software.
Ransomware campaigns often include infostealers.
Infostealer operators frequently modify their infrastructure to avoid detection and countermeasures.
Infostealer Examples
RedLine, Raccoon/RecordBreaker, and Vidar are common infostealers.
RedLine: Often delivered through phishing campaigns. Targets Windows. Shared on Russian malware forums. Can download files, run commands, and run executables. Attempts to thwart analysis.
Raccoon/RecordBreaker: Usually delivered through phishing campaigns and exploit kits. Exfiltrated data as it collects it, rather than bulk-exfiltrating like other stealers. Doesn’t obfuscate its activity or attempt to thwart analysis. Can be a loader to install additional malware.
Vidar: Allows operators to choose what data to exfiltrate. Erases itself after exfiltration. Believed to have originated in a Russian-speaking country.
Other infostealers include Erbium, StrelaStealer, Rhadamanthys, LokiBot, META, BlackGuard, Inno, StormKitty, 44CALIBER, Taurus, AZORult, Agent Tesla, FormBook, Mars, Arkei, Ginzo/ZingoStealer, Eternity, Aurora, and OriginLogger.
