Imagine gaining access to any Fortune 100 company for $10 or less, or even for free. A terrifying thought, isn’t it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that’s the state of things today. Welcome to the infostealer garden of low-hanging fruit.
In recent years, the problem has grown significantly, and we are slowly learning its full destructive potential. In this article, we’ll describe how the entire cybercriminal ecosystem operates, the ways various threat actors exploit data originating from it, and most importantly, what you can do about it.
Let’s start with what infostealer malware actually is. As the name suggests, it’s malware that… steals data.
Depending on the specific type, the information it extracts might differ slightly, but most will try to extract the following:
- Cryptocurrency wallets
- Bank account information and saved credit card details
- Saved passwords from various apps
- Browsing history
- Cookies from the browser
- List of downloaded files
- Information about the operating system used
- A screenshot of your desktop
- Documents grabbed from the filesystem
- Credentials for Telegram and VPN apps
| Example of infostealer log package |
And much more, as malware developers add features over time. This leaked information poses a significant risk if exposed on the internet, especially the credentials for an organization’s internal systems. Unfortunately, this is happening daily to thousands of users.
You don’t need to be tech-savvy or wealthy to spread infostealer malware or obtain stolen data. Let’s explore how the cybercriminal ecosystem functions.
You, too, can be a cybercriminal!
Specialization is a growing trend in the dark corners of the internet. Unlike the past, where one group managed the entire process, today, various threat actors specialize in one aspect of cybercrime and offer services to those willing to pay.
One example is the Zeus banking malware that was developed and spread by the same group. With the evolving market, individuals can now join the cybercrime startup industry with ease. Positions available include:
| Screenshot of desktop included in the above mentioned package |
Dropper Implant Developer / Installs Seller
Responsible for developing malware droppers that bypass antivirus software, allowing for the installation of malicious code. These developers either use the access themselves or sell it to others on darknet forums.
Popular droppers include Smoke Loader, which has been operating since 2011 and continues to evolve. Dropper/loader developers sell access to infected machines for spreading malware.
Services like InstallsKey offer infected computers for sale, allowing individuals to spread their malware efficiently.
Infostealer Malware Developer
The backbone of the industry, these developers create malware that steals valuable information like cryptocurrency wallets, bank account details, and passwords. Various infostealer malware subscriptions are available with prices ranging from dozens to hundreds of dollars per month.
Developers provide a “builder” application to create customized .exe files for stealing data.
Infostealer malware can deliver stolen data through web panels or communication channels like Telegram.
Crypter Developer
Crypters help bypass antivirus software to ensure malware installation. By packing malicious files in a way that evades detection, crypter developers enable threat actors to execute attacks without being detected.
Traffer Teams
Group of individuals who collaborate to spread infostealers on a larger scale. They provide a turnkey solution for infecting unsuspecting users and offer services for monetizing stolen data.
Traffer Team Manager
Manages a team of traffickers and coordinates the distribution of malware. Responsibilities include creating infostealer malware and setting up communication channels for new recruits.
Traffer Team Spreader
An entry-level position involving the distribution of malware through fake tutorials and scam pages. Spreading malware to infect potential victims and generate profits.
Log Cloud Operator
Services that provide logs collected from various sources and sell them as “unique” data. Log clouds offer vast amounts of data, which can be valuable for threat actors seeking specific information.
url:log:pass Reseller
Resellers who create .txt files containing URL, login, and password information from log packages. These files are sold for easy access to credentials without the need to sift through large log packages.
Automated Market Operator
Operators of automated log marketplaces that sell unique and exclusive logs to threat actors. While more expensive, these markets offer data that hasn’t been widely circulated, increasing its value.
Initial Access Broker
Brokers who leverage stolen credentials to gain access to compromised networks, selling these footholds to other threat actors. These brokers facilitate the initial access for further attacks like ransomware.
Opportunistic Script-Kiddie
Novice hackers who use publicly available malware and stolen data to launch attacks without much technical knowledge. These individuals can cause significant damage with minimal effort.
Summary
Explore the diagram below for a visual representation of the cybercriminal ecosystem:
Consider using HackedList.io to monitor log dealers and darknet marketplaces for potential threats and stay vigilant against cybercriminal activities.
Addressing the Problem and Taking Action
Statistics reveal the scale of the issue:
- Over 45 million infected devices identified, with millions containing leaked credentials in the past four years.
- More than half a billion URL/username/password combinations detected.
- Infected devices found in 183 countries, with an average of over 10,000 new victims daily.
Your organization may have already been compromised, especially for larger entities. Utilize tools like HackedList.io to check for potential breaches and stay protected from cyber threats.
