October 9, 2024
|
Infostealers series
Infostealers are developed as Malware-as-a-Service (MaaS). This model allows cybercriminals without deep technical knowledge to gain access to advanced malware by simply paying for a subscription. This makes infostealers more accessible for a wider range of criminals to launch attacks without having to develop malware themselves.
In this MaaS model, criminal networks offer their infostealers as ready-made solutions, similar to how legitimate software companies offer their products through subscriptions. Well-known infostealers like Redline, Raccoon, and Lumma are developed and continuously updated by cybercriminals and then sold on various dark web marketplaces to anyone willing to pay. This has led to increasing professionalization within the criminal ecosystem. The marketing strategies used to promote these infostealers resemble those of legitimate software companies, complete with advertisements highlighting the effectiveness of their malware.
The malware developers behind infostealers follow strict development processes, constantly working to bypass antivirus software. A key part of this process is implementing techniques such as code obfuscation and encryption, making the malware appear different with each infection and difficult for traditional antivirus programs to detect. Additionally, developers continually add new features to make the malware more powerful, such as tools to prevent session timeouts, to extract super cookies or keep devices from entering sleep mode.
Alongside the development of the malware itself, MaaS providers give their customers access to user-friendly Command & Control (C2) dashboards. These dashboards function similarly to portals of legitimate SaaS services and provide infostealer distributors with an overview of infected devices. Distributors can log in to these portals, often located in hidden sections of the dark web, and easily manage their infections.
Once logged into the C2 dashboard, distributors can perform actions such as session hijacking, allowing them to immediately access the sessions of infected users without requiring re-authentication. From the dashboard, they can also export stolen data, such as login credentials and session tokens, and sell these on criminal marketplaces.
A crucial part of the development process is ensuring that the infostealer malware remains undetected by antivirus programs. Developers use techniques like code obfuscation and encryption to hide the malware from signature-based antivirus software. These methods ensure that the malware appears different with each infection, making it harder for standard antivirus programs to detect the infostealer.
Additionally, the malware is often packaged in small, inconspicuous pieces of code, allowing it to execute slowly and almost invisibly on victims' systems. This is often combined with techniques like "fileless" malware, where the infostealer runs in the computer’s memory instead of being stored on the hard drive, making detection even more difficult.
Like legitimate software, infostealers are continuously evaluated and improved. Both successful and failed infections provide valuable insights, allowing developers to create new features and fix vulnerabilities in their malware. For instance, a new feature recently introduced is the extraction of supercookies, which enables attackers to remain logged in for significantly longer periods, and these supercookies are much harder to invalidate.
Infostealer communities actively monitor the development of new tools that store data locally. A recent example of this was the announcement of Microsoft's Copilot Recall module, which captures screenshots and stores them locally. Whenever data is stored locally, it presents an opportunity for infostealers to steal this information and offer it for sale.
Infostealers, with their combination of advanced functionality and ease of use, have become an increasingly attractive tool for cybercriminals. The Malware-as-a-Service model lowers the entry barrier for criminal actors and makes it easier to manage large-scale infections and generate profit. This not only increases the threat to individuals and organizations but also highlights how the cybercriminal ecosystem is increasingly resembling that of legitimate tech companies.Infostealers, with their combination of advanced functionality and ease of use, have become an increasingly attractive tool for cybercriminals. The Malware-as-a-Service model lowers the entry barrier for criminal actors and makes it easier to manage large-scale infections and generate profit. This not only increases the threat to individuals and organizations, but also highlights that the infostealer ecosystem is becoming more professional, increasingly resembling a serious tech company.
Information security is gaining increasing attention in healthcare organizations. We spoke about this with a large healthcare organization in the south of the Netherlands. Information security is an important theme for them: they continuously map out vulnerabilities and implement improvements. One of the tools they use for this is Passguard. Why? We asked the CIO.
November 6, 2024
Infostealers are developed as Malware-as-a-Service (MaaS). This model allows cybercriminals without deep technical knowledge to gain access to advanced malware by simply paying for a subscription. This makes infostealers more accessible for a wider range of criminals to launch attacks without having to develop malware themselves.
October 18, 2024
In recent years, many organizations have implemented effective measures to secure their networks and reduce the risk of phishing attacks. As a result, the effectiveness of traditional attack methods has significantly decreased. This poses a major problem for cybercriminals, as their entire ecosystem relies on successful attacks.
October 18, 2024
.svg)
