What are Infostealers? | How Can They Impact your Business?

This quick guide explains how “infostealers” are a rising threat actor that acquires your data through sophisticated malware. By exploring how cybercriminals are leveraging and utilizing this form of cyber threat, you’ll understand why infostealers are so dangerous. We’ll also share what types of channels are allowing these cybersecurity breaches to thrive.

Why is there a rise in information stealer (infostealer) malware?

First it is important to define what exactly is an infostealer.

An information stealer (commonly described as an “infostealer” or a “stealer”) is a type of malware, typically a Trojan malware virus, that is able to disguise itself and gather sensitive information. Its ultimate purpose is to collect your information from any infected computer.

So what sensitive information and personal data are infostealers searching for? Here is a quick rundown:

• Passwords saved across all your browsers
• Cookies
• Computer search history
• Credit card information
• Cryptocurrency wallets
• Basic information about your computer (e.g. OS, hardware, installed software etc.)
• Login credentials (including your personal login for your bank accounts, insurance, Microsoft Outlook, LinkedIn, HubSpot, Salesforce, Gamepass, and Meta accounts to name a few)

The infostealer then collates all information into an archive, which is a called a log.

How does an infostealer leverage the log?

As we’ve established the stolen data log contains very sensitive information that enable widespread command and control. It is a prime time for a malicious actor to easily take full control of your online identity, from accessing your credit card to your crypto wallets– the vulnerabilities and possibilities are widespread. Infostealers can typically access your accounts on any type of web platform, including:

• Email
• Banking
• Gaming
• Social media
• Crypto trading
• Online shopping and marketplaces

Typically your online cookie data can then be directly pasted in any browser for any infostealer to connect on your behalf. This can be done the cybercriminal needing to enter any passwords. Infostealer malware has become a popular way for cybercriminals to collaborate by spreading sensitive data via dark web forums or via private communities on encrypted messaging app Telegram.

Click here to intercept stolen credentials with CybelAngel.

What types of sensitive data do infostealers want?

Infostealers target a wide variety of information; the list below is just a sample of what cybercriminals are after:

• Information saved on your browser: Passwords, credit card logins, auto-filled logins
• Files: search and exfiltrate sensitive files based on extensions or path
• Data streams: from FTP/Steam/instant messaging clients (on Telegram, Discord etc.)
• Cryptocurrency wallets

They are also interested in other advanced features like:

• Clipper (replaces copied crypto address with an attacker-controlled one in clipboard)
• Anti-VM (virtual machine) capabilities to evade detection

How do infostealers crack into my vulnerabilities?

In real life criminals will tirelessly work infiltrate any location that they want to enter. Online it is a slightly different playing field. Infostealers must be first given access to infiltrate your sensitive data. But they are very agile and adept at finding ways to trick you into opening a virtual entryway. Like most Trojan malware, infostealers can access your data via these traditional channels:

• Cracked software and games
• Fake password crackers
• Fake account recovering software
• Ads for cleaner software
• Phishing emails

This is quick overview of the typical channels they can use but consider it a non exhaustive list.

The accelerating infostealer economy

Creating infostealer malware requires knowledge and skill, however, obtaining and using it does not. The malware ecosystem is moving towards Malware as a Service (MaaS), and infostealers are cashing in. The prices are roughly the same between the different strains of stealers. They usually range between $100-200 a month or $1,000 for a lifetime subscription.

For example, earlier this year TechRadar reported that a new MacOS malware known as ‘Atomic’ was being sold at $1,000 per month. Stealers are primarily sold via dark web forums and encrypted messaging apps like Telegram. Most of the malicious actors infecting computers at scale with infostealer malware but actually do not use the logs themselves. Instead these cybercriminals sell this sensitive information on dark web forums or via specialized sites like Russian Market or Genesis Market. On these sites logs can be sold for as low as $1, all the way up to $150. Logs are a commodity for cybercriminals. The fact that they can be bought cheaply—it is a sure fire reason why they are so dangerous.

Why are infostealers so dangerous?

Infostealers are ascending. So why should you be wary? While the majority of infected computers are personal computers, because the distribution channels are closely linked to gaming or the illegal infiltration of accounts, certain threat actors target corporate devices, usually via phishing campaigns. Companies get stung double fold by the “bring your own device” to work option in corporate environments as well as the blurring of lines when employees use professional devices for personal activities.

If you or your team reuse the same batch of passwords, it can quickly lead to your corporate accounts and sensitive information being compromised by an information stealer. Infostealers are dangerous for a myriad of reasons but the greatest risk is that they are widely available, easily accessible and can be deployed by anyone as they do not require you have a high level of technical skill or knowledge. This makes them far more dangerous than other cyber threats

The 2023 Verizon Data Breach Investigations Report cites that “74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.”

There is a bright side: according to 2023 CybelAngel data on infostealer malware, commercial sectors were the primary target of infostealers and cyber actors who successfully exfiltrated data. In September of 2023, CybelAngel was able to detect, capture and alert our customers on over 7,500 exposed and compromised credentials. To read more about the resurgence of infostealers, check out our 2024 State of the External Attack Surface Report.

How can you protect yourself against infostealers?

As we’ve identified infostealers still need you to give them initial access to your apps and operating system to attack. We know that they are extremely persistent, widespread and eager to quickly infect your devices with malware to cash in on dark web forums. But there is hope. Here are three ways to protect your brand against infostealers:

1. Awareness and diligence is the best defence against this type of threat actor. Regularly update your online passwords and use multi-factor authentication to keep your login credentials more secure.
2. Train your team! Ensure you and your team understand the unique cyber threat that infostealers pose (share this guide for example) and train them to be on the lookout for suspicious sites, forms, unusual email or social media messages and phishing links.
3. Know your options: In the case that your stolen credentials have compromised your brand and you need to recover stolen data, know that you still have options. CybelAngel’s Account Takeover Prevention solution can quickly handle the cyber fallout break the link between theft and profit. Learn more here.

That is it for this 101 cybersecurity guide to information stealers. If you would like to get in touch with CybelAngel to discuss threat intelligence and how to protect your brand against infostealers, contact us.