Close this search box.

How Infostealer Malware Helps Ransomware Operators Hide in Plain Sight

Cybercriminals have always looked for new and dastardly ways to improve their tactics and gain broader and deeper access to valuable data. With more than 4 billion malware attempts observed last year, the increase showcases how this preferred tactic is trending. Bad actors are executing specific infostealer malware to exfiltrate authentication data such as credentials and session cookies and use that information to hide in plain sight while they gain access to your confidential data.

Infostealer malware is a form of malicious software used by ransomware operators to slip under the radar and steal important information from unsuspecting users. Here we dive into what infostealer malware is, how it helps ransomware operators masquerade as legitimate users to launch cyberattacks, how it puts your data at risk and what best practices you should follow to protect yourself and your organization.

What is Infostealer Malware?

Cybercriminals use infostealer malware to exfiltrate authentication information and use it to gain access to enterprise systems. This type of malware is typically delivered through phishing emails, malicious websites, and other deceptive tactics. Popular types of infostealers we’ve observed on the darknet recently include RedLine, MetaStealer, Raccoon, and Vidar.

Once installed on a system, the infostealer malware collects data from an infected device, including authentication data such as usernames and passwords, as well as personal information such as credit card numbers, crypto wallets and banking details.

As data siphoned from infostealer malware increases in abundance and gains popularity on the darknet, we are beginning to recapture more and more malware logs that contain all the information needed to launch cyberattacks. Malware logs typically include:

System files, including device fingerprint

Usernames and passwords for digital accounts

Auto-fill data saved in browsers such as credit card and shipping information

Web session cookies that can be used for session hijacking

A screenshot of the device at the time of execution to determine the initial access vector

With this information in hand, bad actors can gain access to and wreak havoc on your enterprise.

One of the biggest challenges with infostealer malware is its ability to evade detection due to its non-persistence – some strains are able to infect a device, siphon data, and delete itself in mere seconds. As such, it’s important for users to be aware of their potential exposure from infostealers and the threat that these infections pose on the enterprise.

How Does Infostealer Malware Help Ransomware Operators Hide in Plain Sight?

In order to combat the growing threat of ransomware attacks, organizations must take proactive measures to protect their networks from infostealers. By understanding how these malicious programs operate and taking steps to ensure that confidential information is secure, businesses can help reduce the risk of becoming a victim of an attack.

The steps from a malware infection to a ransomware attack are actually quite simple after initial infection:

A user mistakenly downloads infostealer malware to a shared or personal device he uses to access the corporate network, sites and applications.

The malware siphons the user’s passwords, web session cookies, device information, browser fingerprint, and other data that allows the criminal to walk right into the corporate network.

The user’s stolen data gets traded on the criminal underground, where initial access brokers (IABs), ransomware operators, and other bad actors can purchase it.

IABs identify that the user’s data includes corporate assets and sells it to ransomware operators who can use it to target the user’s employer.

Ransomware operators use the exposed authentication data to log into corporate resources, bypass MFA, and move laterally to increase their access while evading detection.

Ultimately, the bad actors use their illegitimate access to deploy ransomware and demand a ransom payment in exchange for access to the enterprise’s stolen data and files.

In six simple steps, an innocent click on a malicious link or a file download from a seemingly trusted source can turn into a full-blown security incident.

Learn more about how malware is perpetrated and how it leads to costly ransomware attacks in our latest eBook, “Disrupting the Ransomware Market: Breaking Down Malware and the Importance of Post-Infection Remediation.”
Download eBook

How Infostealer Malware Can Put Your Data at Risk

Being aware of the risks posed by infostealer malware is essential for protecting your business. This type of malicious software can be used to gain access to a system remotely, allowing ransomware operators to deploy their payloads and cause significant damage.

The most concerning aspect of infostealer malware is its ability to remain undetected. An infection that quickly executes, steals data, and deletes itself can cause long-lasting damage because you can’t fix what you can’t see. We’ve found that businesses are impacted by malware infections on personal or unmanaged devices, such as when an employee accesses corporate accounts on a personal device infected with malware or a third-party contractor accesses a system from a non-corporate issued device with limited security oversight.

Typically malware-infection response involves wiping the device and closing the ticket. However, once authentication data is in the hands of bad actors, they can access accounts whenever they want, thus extending the threat of the malware infection beyond the device.

To address the implications of malware infections beyond the device, SpyCloud introduced a critical addition to malware-infection response: Post-Infection Remediation. These additional steps to existing incident response protocols are designed to negate opportunities for ransomware and other critical threats by resetting the application credentials and invalidating session cookies siphoned by infostealer malware. 

By understanding the risks posed by infostealer malware, users can take the necessary steps needed to stay steps ahead of cybercriminals and protect themselves from becoming a victim of this type of malicious attack.

Best Practices to Help Prevent Infostealer Malware

To protect yourself from infostealer malware, it is important to take proactive steps and use the latest security solutions. Here are a few of the best practices for avoiding and managing threats posed by infostealers and ransomware operators:

Install complete anti-virus software – Having up-to-date antivirus software helps detect, quarantine, and remove malicious programs. It is vital you keep your virus definitions current to be able to combat new threats as soon as they emerge, but also be aware that additional steps to reset passwords and invalidate web sessions are necessary to fully remediate an infection.

Ensure your operating system is up-to-date – Outdated systems are easier targets for cybercriminals than those running on the most recent version of their respective software. Therefore, it’s important to frequently check for updates and install them promptly when released in order to stay ahead of potential risks.

Exercise caution with suspicious links and emails – Make sure you only open links from reliable sources or authenticate them prior to clicking on them. Never open any messages or attachments from unknown senders as these could contain malicious codes that might compromise data or devices if opened.

Monitor darknet data exposure – Having insights into your organization’s darknet exposure levels the playing field with cybercriminals, enabling action on the data criminals are using to target your enterprise for account takeover and ransomware attacks.

Following these simple steps allows users to protect themselves against those looking to take advantage of your organization while also reducing the chances of becoming a victim of a devastating cyberattack.

Check Your Darknet Exposure

SpyCloud’s Check Your Exposure tool gives you insight into your corporate darknet exposure. Simply enter your corporate email address and you’ll get up to 18 detailed stats back in your custom darknet exposure report, outlining where your organization is most at risk, including:

Malware-infected employee records (reflecting exposures from both managed and unmanaged devices)

Password reuse

Executive credential exposures

Stolen session cookies

By understanding your exposure and taking the necessary steps towards preventing infostealer malware infections, you can help reduce the chances of becoming a victim of a ransomware attack or other form of cybercrime.

Find out what cybercriminals know about your business. Get visibility into your company's risk of cyberattacks from darknet data, including third-party breach exposures, malware-infected employees, password reuse, and more.
Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[What’s New] Check Your Exposure has been expanded with more recaptured data. See Your Results Now

Close this search box.