Infostealer malware is a hot topic among SOC teams, with survey respondents in our recent Malware Readiness & Defense Report ranking it among their top three security concerns. And it’s no wonder – we’re seeing cyberattackers use phishing emails, social media posts, video game mods, fake websites, and other channels to convince their victims to click or download malware that can silently and swiftly steal massive amounts of sensitive data.
But what makes infostealer malware such a unique threat, and how should SOC teams be thinking about adjusting traditional approaches to more fully address the risk it poses?
In a recent Cyberwire-X podcast episode, Trevor Hilligoss, our Director of Security Research here at SpyCloud, sat down with host Dave Bittner to dig into the world of infostealers, shedding light on their evolution over the past decade, common attack schemes, and how we can all keep up.
You can listen to their full conversation here – and then read through some added color in the commentary from our team below.
So why is infostealer malware such a challenging threat?
Infostealers’ entire purpose is to steal information from an infected host. It’s non-persistent malware that gets stealthily delivered to an endpoint, sometimes through botnets, and then executed to perform stealing functions. The infostealer then exfiltrates the stolen data off the machine to a place where the attacker can access it and use it for fraudulent activity – anything from identity theft to espionage – or sell it to ransomware operators as initial access. The real challenge comes from the fact that after the infostealer gets the data, and sometimes within a matter of seconds, it can remove itself without leaving a trace.
Four traditional ways to protect against infostealer malware – and where they fall short
Infostealer malware isn’t new, and many organizations already have some key malware defense practices in place to combat the threat, including:
- A good antivirus program
- Advanced authentication through multi-factor authentication (MFA) and passkeys
- Cookie policies
- Comprehensive management over your devices and networks, including a strict bring-your-own device (BYOD) policy
Anti-virus software
Obviously, having up-to-date antivirus software helps in an organizational defense strategy against malware. But in our most recent malware report, our researchers found that 20 percent of all recaptured infostealer logs had an installed antivirus application at the time of execution – but infostealers were still able to sneak in and steal data undetected.
MFA and passkeys
Strong security controls today mean deploying advanced authentication methods like MFA and passkeys. Regularly monitoring MFA for odd behavior is critical to infostealer malware protection. But even the strongest MFA can fall short if attackers are able to replicate a device to exploit potential vulnerabilities, like using a residential proxy to emulate an employee’s exact online identity.
Cookie policies
Today, malware logs often contain authentication cookies/tokens, too – which enable malicious actors to hijack a session without providing a password, passkey, or second factor. SOC teams can combat this threat by setting shorter cookie expiration times, invalidating sessions when a cookie is found to be compromised, as well as forcing password resets for malware-compromised users as an added measure. The challenge here, though, is that most teams don’t have the full picture of the exact cookies stolen by attackers – or the ability to take action – making it difficult to close every door. Our research shows that 39% of organizations don’t terminate session cookies at the sign of exposure.
Under-managed and unmanaged devices
The most overlooked entry points for malware are synced browser data across personal and corporate devices and unmanaged devices that access business applications. So it makes sense that another first line of defense is to make sure devices and systems are up-to-date, and to crack down on your BYOD policy.
It just takes one employee unsuspectingly logging into corporate applications from an infected personal device for infostealer malware to steal those credentials – it won’t distinguish between personal or business – along with other identity and device data that bad actors can use to impersonate the employee and infiltrate your organization.
Advanced malware protection as a complementary line of infostealer malware defense
As a security practitioner, it’s really important to do all of the things mentioned above. But none of the traditional countermeasures are infallible, which is why we recommend having more tools in your arsenal. For infostealer malware, that means gaining enhanced visibility into your risk from exfiltrated data.
98% of survey respondents in the 2023 Malware Readiness & Defense Report agree that having better visibility into the business applications exposed by an infostealer infection would increase their security posture.
When we talk about visibility here, what we really mean is visibility beyond what’s traditionally included in the digital forensics incident response process. Traditionally, we hyper-focus on devices, networks, and things like firewall logs and application logs. But infostealers introduce a wild card variable at play: everything and anything that can be taken from that device.
That ranges from the simple things like device and operating system information, to fresh data including target URLs, login credentials, passkeys, and authentication cookies/tokens. It’s dozens of data points that enable easy impersonation, allowing attackers to mimic employees’ access with a high degree of success and perpetrate cybercrimes like account takeover, session hijacking, and ransomware attacks. And you can’t fully protect yourself without knowing exactly what criminals have in their hands.
Advanced malware protection as a complementary line of infostealer malware defense
Business environments today transcend the confines of traditional computers and networks. The proliferation of third-party applications, devices, and single sign-on (SSO) systems has expanded our digital realm significantly. It’s vital to consider these factors in the context of infostealer malware. For instance, a valid authentication cookie not only grants access but also provides seemingly innocuous device details like screen size and operating system that can enable cybercriminals to mimic digital presences effortlessly.
Definitely keep your first lines of malware defense current to combat threats as they emerge – but also be aware that there are additional post-infection remediation steps that account for exposed applications that can help you fill in gaps you may not even know you have.
The concept of Post-Infection Remediation urges us to look beyond our devices and networks. Every day, cyber criminals are working to take more of our data from infected devices, which in turn increases the risk of follow-on attacks that leverage that exfiltrated data. We can’t fix what we can’t see, so Post-Infection Remediation invites us to expand our awareness – and action plan – to take control of the scattered pieces of information that are stolen from us in our digital environments.
