Advisory: Info-stealer malware - threat and mitigations

Original Issue Date:- November 22, 2023

Virus Type:-info-stealer malware

Severity:- High

Information stealer is a malware variant that is designed to steal critical/ sensitive information, such as login credentials, personal identification details, financial information, and other confidential data, from the victim's systems. In most cases, info-stealers steal data that can benefit cyber criminals in many ways such as making money via ransom through stealing credit card details, cookies, cryptocurrency wallets, VPN clients’ data, private photos and documents that can be used for blackmail, etc.

The stolen confidential data is often sold on the darknet or other underground market places, where cybercriminals can purchase it and use it for further malicious activities.

The Info-stealer malware typically sustains itself in the compromised environment and it operates under the Malware-as-a-Service (MaaS) paradigm.

Infection Strategy:

The info-stealers have the capability to operate on cross-platform such as Windows and Linux etc. This malware type is aimed to steal sensitive information, including saved login credentials, session tokens and much more. This information can be used by malicious actors to bypass multifactor authentication (MFA) and gain immediate access to user accounts.

The major chunk of malware infection arises from spam emails, either through attachments or malicious links. The same techniques are used by spam emails to deceive people are also used via SMS, WhatsApp, Facebook Messenger, and even phone calls.

After being deployed on a victim's system, it initiates the collection of sensitive information and transmitting the gathered data to the attacker, who may leverage it for diverse purposes, including identity theft, blackmail, or financial fraud.

Information stealers can infect the systems in a variety of ways and a few of them are given below :

Phishing Email: Clicking on a link or attachment in an email that is designed to harm your device or steal your sensitive information.
Keylogging: Some malware is designed to steal sensitive information such as login credentials by capturing keystrokes.
Data Exfiltration: Attackers usually transmit stolen information to a remote server under their control.
Search engine ads: Downloading a file from an untrusted source, YouTube videos are also used to trick users via fake game cheat.
Clipboard Theft: Information stealers can keep a watch on the system clipboard to obtain copied information, including passwords.
Screen Capture: Malware can capture sensitive information by taking screenshots of the victim's device while it displays the data.
Infected Software: Users often download cracked software, risking info stealers and system compromise.
Infected Hardware: Info stealer and other malware can infect systems via USB or pen drives, which then spread the infection to other connected systems.

There are several info-stealer malwares that have been critically proven dangerous for organizations. For example; Redline Info-Stealer Malware is distributed through phishing emails. It can steal a wide variety of data, including passwords, credit card details, and cryptocurrency wallets etc. Vidar info-stealer is spread through the download of a spoofed application from an untrusted source. After infection, the malware search and steals for sensitive information such as account credentials, browser history, saved passwords and cryptocurrency wallet data etc. Raccoon info-stealer is focussed on various applications such as Chrome, opera etc. to extract data. Critical sensitive information such as credentials, account details are compromised.

There are other information stealer malwares that are actively operating across the globe and a list of them is given below:

RisePro Stealer, MintStealer, Aurora Infostealer , VectorStealer, Titan Stealer, Graphiron , WhiteSnake Stealer , Stealc Stealer, Umbral Stealer, Mystic Stealer , STRRAT Stealer, Eternity Stealer, Laplas Stealer, Lumma Stealer, GraphicalProton, Sapphire Stealer, Phemedrone Stealer , Easy Stealer Malware, Atomic STEALER, TurkoRAT and Lucifer malware etc.

This class of malware is continuously growing in its functionality and infection capabilities while the list of info-stealers is incessantly increasing as the attackers are paying more attention for their development.

Removal tools:

CSK Free Bot Removal Tool (FBRT) utility may be used to detect and remove specific malware/viruses from your affected Windows digital devices.

https://www.csk.gov.in/security-tools.html

Countermeasures against info-stealers:

Email attachments should be scanned at the gateway level and block known malicious file extensions.
It is important to install an Endpoint Detection and Response (EDR) solution on all endpoints.
Block search engine ads by blocking them at the proxy or web gateway level.
Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only. Users must be aware while clicking on links during web search.
Avoid the habit of storing passwords in web browsers, rather a password manager may be used. Keep the complex passwords that are hard to guess.
Update software and operating systems with the latest patches. Outdated applications and operating systems are the targets of most attacks.
User accounts should be secured with MFA.
Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
It is advised to block office applications from creating executable files.
Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
Prohibit external FTP connections and blacklist downloads of known offensive security tools.
All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
Consider encrypting the confidential data as the ransomware generally targets common file types.
Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

References: