Cybercriminals have extensively used ransomware in their attacks on businesses, government entities, and critical infrastructure, and while these attacks often make headline news and cause massive disruption, there is a much more common malware threat – Information stealers.
Information stealers are malware that is silently installed on devices that can remain undetected for long periods of time. These types of malware have many different capabilities and can serve as downloaders for other malicious payloads, but their main function is information theft. Information theft is achieved in several ways, depending on the malware variant in question. These malware types often have keylogging capabilities and can record keystrokes as they are entered on the keyboard, allowing sensitive information such as usernames and passwords to be captured. They can often record audio from the microphone, take control of the webcam and record video, and take screenshots. They can also steal browser histories, cookies, and other sensitive information.
The information stolen from the victim allows the threat actor to conduct follow-on attacks, access accounts and steal further sensitive data, access and drain financial accounts, or commit identity theft and other types of fraud. Information stealers can also provide a threat actor with access to a device, and that access is often sold to specialized cybercriminal groups such as ransomware actors. Many hackers now act as initial access brokers, using information stealers to gain access before selling that access to other cybercriminal groups.
Information stealers such as Lumma, AgentTesla, FormBook, Redline, and StealC have been increasingly used in recent years, especially last year. Check Point observed a 58% increase in attacks from the previous year, and a report from the threat intelligence firm KELA suggested that lists of credentials obtained from information stealers are being shared on cybercrime forums. The credential lists included billions of logins that had been captured from infected devices, which, according to KELA, included around 4.3 million devices, of which around 330 million credentials had been stolen. An estimated 40% were corporate credentials.
The breach notification service, Have I Been Pwned (HIBP), has recently added 284 million compromised accounts to the service. The credentials were identified from chats on a Telegram channel called ALIEN TXTBASE, with the data obtained from information stealer logs. HIBP founder Troy Hunt said the stealer logs included 23 billion rows of data with 493 million unique website and email address pairs and around 284 million unique email addresses. Hunt said 244 million passwords were not previously known to the HIBP service, with 199 million already in its database.
The extent to which these malware variants are used, and the increase in use in 2024, clearly demonstrates the importance of advanced malware protection and the sheer number of compromised credentials suggests many businesses have been infected with information stealers. The problem for businesses is that these malware variants can be difficult to identify, as new versions are constantly being released. Traditional antivirus software is signature-based, which means it can only detect known malware. When new malware is identified, a signature of that malware is obtained and fed into antivirus software. If a malware signature is not in the software’s definition list, it will not be detected. There are several ways that these information stealers are distributed, with email being one of the most common. They can also be downloaded from the internet from malicious websites in drive-by downloads or installed along with pirated software or doctored versions of legitimate software installers.
Defending against information stealers requires a combination of measures – a defense-in-depth approach, with multiple overlapping layers of security. Given the high volume of infections stemming from email, businesses need a spam filter to block malicious emails. Antispam software will block many malicious emails; however, an antispam server must have advanced antimalware defenses. That means traditional signature-based detection and advanced behavioral detection to ensure previously unseen malware is identified and blocked.
SpamTitan uses dual anti-virus engines for detecting known threats and a next-generation email sandbox for behavioral analysis. If standard checks are passed, suspicious messages are sent to the sandbox – a safe environment where they are detonated and their behavior is analyzed. This vastly improves the detection rate, and in recent independent tests, SpamTitan outperformed all other tested email security solutions and had a 100% malware detection rate.
Security awareness training needs to be provided to the workforce to ensure that employees have the skills to recognize and avoid threats, no matter where they are encountered. Through training, employees should be conditioned to always report potential threats to their security team, and businesses can promote security best practices and eradicate risky behaviors. TitanHQ offers businesses a comprehensive training and phishing simulation platform – SafeTitan – that has been shown to be highly effective at improving employees’ security awareness.
Many malware infections occur via the Internet, and while training can reduce risk, a technical security solution is required to block threats. WebTitan is a DNS-based web filter that is used to block access to known malicious websites, assess websites in real-time for malicious content, block certain file downloads from the Internet, and restrict the sites and web pages employees can access.
With these three security solutions in your arsenal, you will be able to significantly improve your security posture and block information stealers and other threats. Give the TitanHQ team a call today to find out more or take advantage of a free trial of these solutions.