Skip to main content

Fool Me Once: How Botnets Help Malicious Actors Pose as Your Employees (And What Enterprises Can Do About It)

Malware-as-a-service (MaaS) is a growing economy on the criminal underground, opening the doors for ransomware, identity fraud, and other cybercrimes. The rise in popularity for credential-stealing malware (also known as infostealers) is especially a huge concern for organizations because it can steal employee authentication data right off employee devices (managed or unmanaged), allowing cybercriminals to impersonate those individuals – and it only takes a few seconds.

You’ve probably heard a lot that cybercriminals are constantly growing more sophisticated. But it doesn’t take much savvy at all to leverage infostealers. Anyone with a couple hundred dollars and a few minutes to spare can launch a malware campaign, especially considering there are also individuals who will do the install for you.

To imagine the magnitude of the threat, consider the Raccoon Infostealer that’s been in the news lately. The U.S. Department of Justice recently indicted the mastermind behind the malware, a 26-year-old Ukrainian national. As part of its investigation, the DOJ found more than 50 million unique login credentials that were siphoned from infected endpoints but that doesn’t account for everything that might still be circulating on the darknet.

The barrier to entry for this infostealer is practically zero. Sold in underground marketplaces for about $200/month, Raccoon came complete with all the tools required to infect devices and steal data, including a dashboard that enabled the customer to download stolen data and build individual malware configurations that could be used to target a variety of individuals or companies. And even though the U.S. government dismantled the Raccoon infrastructure, the gang behind this MaaS is back in business. Raccoon 2.0 is being advertised as a new and improved version – with even more capabilities.

One of the tools that enable malicious actors to carry out extensive infostealer attacks is ‘botnets,’ or robot networks. While the infostealers are often one of the most damaging parts of the package, botnets can magnify the scale and efficacy of a campaign by automating the initial access part of the attack cycle. Botnets can even be something of a double whammy,  too – you have to worry not only about critical data being siphoned at scale, but also about employee devices becoming part of this network.

The Evolution of Botnets

Botnets have famously been used to launch distributed denial-of-service (DDoS) attacks, like the BredoLab botnet of 2010 which, at its height, was estimated to comprise over 30 million individual machines. Today, botnets have evolved to deploy malware including infostealers, which are often designed to leave little or no trace at all on the target device. This malware often flies under the radar by removing itself after execution so any sign is purged when the computer is restarted.

Equipped with tools like modern infostealers and other means of gaining initial access, attackers can often gain a foothold on a network in a matter of minutes. The cloud makes this even easier, as an attacker can scale that process such that they can infect thousands of computers with little manual interaction, and passively siphon sensitive data from a large network of infected hosts.

Thanks to the underground economy, anyone can buy a botnet or pay for an infostealer, extract the credentials it siphoned, create a combo list (username and password combinations), and throw it against a list of targeted sites to try accessing other accounts. Or, alternatively, the same attacker may decide to sell valuable access, whether for a specific company or perhaps for an asset like a large cryptocurrency account, to the highest bidder, which may be a ransomware affiliate or other financially-motivated criminal actor.

But nefarious actors don’t even have to go to this much trouble. Just look at Raccoon – the group behind it advertised it as a completely automated process that was the result of months of development to save “customers” precious time and headaches – with all the software, front-end, and back-end components included.

What makes infostealers so dangerous is that the data siphoned right off the employee device greatly increases the cybercriminals’ success rate. This data is shared in small criminal circles among trusted associates who can use it to launch attacks quickly. That’s why malware infections are so closely tied with ransomware attacks: with the freshly harvested credentials and cookies or browser fingerprint data in hand, bad actors make quick work of that information to hijack a session, bypass multi-factor authentication (MFA), access the enterprise, and start encrypting assets.

By the time the security team discovers what happened, it’s too late. And that’s if they actually detect the malware at all. Considering the explosion of unmanaged and unmonitored devices, especially with the increase in remote work – not to mention insecure managed devices and contractor devices that aren’t up to date – many security teams have limited to no visibility into what’s happening on the devices that employees use to access enterprise assets.

What Your Enterprise Can Do

Endpoint threat detection and response solutions, data backups, MFA, robust access policies – these and other basic security controls all help minimize your risks against botnets and follow-on malware infections. For additional prevention, enterprises can take a strong stance by minimizing or even completely eliminating BYOD practices that can pose a significant threat to the organization.

But prevention is only one layer. Malware infections can happen to anybody – even the shrewdest users can unwittingly become compromised by accidentally opening a fantastically-duped email with a malicious link. Detecting malware deployed by botnets at the time of infection and quick post-infection remediation is a necessary part of your defense.

Simply wiping the malware off the device doesn’t provide that level of protection. You need to know exactly what data was siphoned and how it can be weaponized against your enterprise, and react quickly before the attacker gets the opportunity to do so.

This is where visibility into darknet data is critical. Monitoring for compromised users and devices enables you to perform post-infection remediation quickly. To limit the scope of the threat, you need to know not only what users and data were exposed, but also what systems and applications were compromised.

While botnets are just one type of cyberattack to be aware of, it’s also useful to stay on top of the threats affecting your industry. You don’t necessarily need an expensive threat intelligence feed to be aware of the trends and the tactics cybercriminals are employing – you can also achieve this by reading research and industry news. Knowing what vulnerabilities are being actively targeted can help you prioritize critical mitigation steps within your own organization.

Keep in mind that most modern infostealers take less than a second to infect a device. Once your data is out the door, the risk could last for years if you don’t take action to remediate all compromised information. No enterprise can afford to take that chance.

Learn more about the risks of botnets, infostealers, and malware infections and how to close your attack surface visibility gaps by watching our latest “Mind the Gap” on-demand webinar.

Transforming recaptured data to protect your business.