Cybersecurity blog header

Infostealer: How criminals steal device credentials

- Ciber 4 All Team

Infostealers are a type of malware that allows passwords to be stolen

Infostealer is malware that can steal passwords, cookies and other credentials from a device’s browsers, apps and documents

«Meow, meow, meow». In this way, an X account announced in early 2024 that the problems experienced by the internet services of a telecommunications company in Spain resulted from a cyberattack. How did this incident originate? In September 2023, a malicious actor used an infostealer to infect a multinational corporate computer. In such a way, it could obtain the passwords that the device stored in web browsers and applications. Among them was the password to access the Regional Internet Registry for Europe, Middle East and Central Asia (RIPE), which allocates and registers network resources. This password was exfiltrated and made public.

In addition, throughout the fall, the company did not change the password or implemented a multi-factor authentication system to access its RIPE account. Hence, the attack was quickly carried out.

This security incident is just one of the many cases of cyber-attacks in which the use of an infostealer has made it possible to steal access credentials to bank accounts, Software-as-a-Service, social network accounts or cryptocurrency wallets.

Infostealers are one of the most commonly used types of malware today. They collect credentials stored in browsers, applications and documents on a device, as well as session cookies and financial information.

Below, we will review how infostealer attacks are carried out, what the criminals are targeting and what companies can do to protect their corporate accounts.

Telecommunications, technology, tourism, energy, retail… No sector is safe

Criminal groups are using infostealers to attack companies in multiple economic sectors. Therefore, it is essential for companies, regardless of their field of activity, to be aware of this threat.

Criminals developing or contracting infostealer target not only the telecommunications sector. Incidents have also occurred in sectors as diverse as the oil and tourism sectors. For example, the Rhadamanthys Stealer infostealer has recently been used to obtain credentials stored in oil and gas company files and browsers.

While fraud against the travel industry has become a global threat, infostealers are used to steal login credentials from hotels or travel agencies to hotel booking platforms such as Booking. To what end? to defraud your customers.

Another sector where infostealer attacks are a top threat is retail. Criminals seek access to Cloud applications used by companies in this sector, from mail managers to cloud document storage applications such as Google Drive or OneDrive. Hence, infostealers are also a problem for companies that provide technology services, which have to try to strengthen the process of access and authentication to their software.

We must also bear in mind that criminals do not only attack business professionals but often, the attacks are not directed against specific targets. In other words, an ordinary citizen can also see their computer or cell phone infected with an infostealer to steal the login credentials of their accounts on social networks such as LinkedIn, streaming platforms such as Spotify, retail companies such as Amazon or their email managers such as Gmail, or even their bank account.

Companies' digital assets a target for criminals

Social engineering is critical when it comes to gaining an entry vector

How do infostealers reach corporate devices? The answer to this question is not too original: there is always an element of social engineering.

For example, Rhadamanthys Stealer has been distributed through phishing campaigns. Email is also the prototypical entry vector for fraud against the travel industry because criminals pose as customers of hotel chains or travel agencies, sending special requests through documents infected with an infostealer.

Once the attackers have obtained personal information from their targets, they can use it in even more convincing targeted social engineering attacks to get the data needed to bypass second authentication factors. In these attacks, phone calls are made, and legitimate data is presented to increase the confidence of the victims so that they end up providing second-factor access.

Another common technique for infecting a device with an infostealer is malvertising. For example, malicious actors have distributed Lumma Stealer using fake YouTube videos with content about problems in some software and directing victims to a URL where they can download guides on fixing these bugs.

Another infostealer that has recently been distributed using malvertising is Atomic Stealer, in this case via Google Ads. Criminals have also used another way to install this kind of malware: creating fake applications such as social networking platforms where content can be shared, doing a thorough job of publicizing them, giving them legitimacy and getting victims to download and install them on their devices.

In addition to social engineering techniques, malicious actors can also infect a device with an infostealer by having the malicious program be the payload of another type of malware: Trojans.

The infostealer steals passwords, cookies, and banking information…

Once the infostealer starts running on the infected device, it scans the computer to collect all credentials and session cookies stored in web browsers, software and files.

For example, in mid-April 2024, a campaign was unveiled that tricked its victims by offering them a free copy of a video game. However, a variant of the infostealer RedLine Stealer was downloaded onto the computers. This program has become popular this decade, allowing users to obtain passwords, cookies, and even autofill information and cryptocurrency wallet data.

At almost the same time, it also became public that CoralRaider, a malicious actor of Vietnamese origin, had launched a campaign to infect multiple computers with three types of infostealer (Lumma, Rhadamanthys and Cryptbot) to obtain financial information and social network login credentials.

During an attack, CoralRaider is able to scan the main browsers on the market (Chrome, Firefox, Edge, Avast), applications for managing passwords and authentication processes (Google Authenticator, KeePass) and cryptocurrency wallets (Bitcoin, Litecoin, Agent X).

For an infostealer to carry out its malicious work, it is essential that it acts unnoticed and without attracting the attention of the attacked company’s security mechanisms. Hence, obfuscation is an essential element of infostealer attacks.

What do criminals do with the credentials and cookies they obtain?

Hostile actors who resort to info stealer attacks use a variety of ways to monetize the attacks:

  • Offering sales accounts to gain access to software, applications and platforms, e.g., generative AI systems such as ChatGPT.
  • Accessing bank accounts for financial fraud.
  • Using the information obtained to impersonate victims and commit new attacks, as is the case in travel fraud.
  • Obtaining critical data by accessing confidential programs, such as a corporate email manager, invoicing software or a file repository.
  • Hacking into social network accounts to use them for other attacks.

Furthermore, in some cases, the information is exaggerated to damage the reputation of the attacked organizations.

Infostealers are a major threat to sectors such as tourism

Infostealers are traded on the Dark Web, Telegram or Discord

Can only criminal groups that can design their infostealer launch this attack? The answer is a resounding no, as seen in several of the cases we unpacked in this article.

This is because some of the best-known infostealers globally (RedLine, Lumma…) are marketed through the Dark Web and channels in applications such as Telegram or Discord. In such a way, Malware-as-a-Service platforms offer all the necessary elements to carry out an infostealer attack and obtain credentials and cookies to access platforms, applications and software.

This explains the exponential growth of infostealer attacks and the fact that they can affect not only large companies but also small companies operating in a wide range of sectors.

Having a company’s credentials or cookies stolen to access software critical to its business models can have severe consequences and even cause a future attack to affect its business processes.

Of course, the public as a whole can also be a victim of this kind of attack. Nowadays, practically everyone has online bank accounts, uses streaming services such as Netflix, has an email manager or has profiles on social networks.

Hence, infostealers also threaten the companies that provide the services accessed through the compromised accounts. In this sense, companies such as banks or social networking platforms must have cyber intelligence services that enable them to deal with online fraud and hacking while strengthening application access and authentication processes.

How can infostealer attacks be countered?

Companies wishing to prevent their computers from being infected with an infostealer can turn to comprehensive cybersecurity services:

  • Social Engineering Test. This test is used to train professionals and prevent phishing or malvertising from opening the door to an infostealer infection.
  • Proactive Threat Hunting services. Criminal groups are continually developing new infostealer variants and implementing more complex techniques, tactics and procedures that are difficult to detect and have a greater potential for devastation. Therefore, threat-hunting services can help detect existing tools and their variants at an early stage.
  • Red Team services. Red Team professionals can design specific scenarios focused on infostealer attacks. The purpose is to test how a company would respond in the event of a malicious actor attempting to infect its corporate computers, detect weaknesses in the defensive layers and optimize the functioning of detection and response mechanisms.
  • Incident response services. Suppose an infostealer is detected executing on a corporate computer. In that case, it is critical to act as soon as possible to assess the scope of the compromise, expel the malicious actor and understand how the attack occurred to prevent future incidents.

The level of digitalization of the economy is so high that all companies use software, programs and Cloud platforms to carry out their economic activities. That is why the credentials to access these assets are so valuable, and protecting them against using an infostealer is essential.

An attack using this type of malware can trigger a major business crisis, cause huge financial losses, affect business processes and damage not only the organization but also its customers.