Private data records have been seeping into the ether for decades. However, in August 2024, nearly 2.9 billion U.S. people’s records were exposed on the dark web due to a breach of background checker National Public Data (NPD).
How are cybercriminals getting their hands on so much information? Threat actors gain initial access using vulnerabilities and the careless acts of trusting people, but how does it translate to so much data theft? The evidence and the headlines point to one malware category: infostealers.
On October 21, 2024, a threat actor calling itself Satanic posted 350 million personally identifiable information (PII) records and payment data stolen from retailers Hot Topic, Box Lunch, and Torrid for sale on the BreachForums dark web market, according to Alon Gal, chief technology officer at Hudson Rock, a threat intelligence vendor. The Hudson Rock research points to a generic infostealer infecting an employee system at third-party retail analytics provider Robling, said Gal. Satanic’s data haul included names, addresses, emails, phone numbers, birth dates, and billions of payment details and loyalty points, according to Gal.
The Roots of Infostealers
For those who have not heard of infostealers, they have been siphoning sensitive data for more than 16 years, at least since the first appearance of a banking Trojan that stole usernames and passwords.
“We can trace infostealers to 2006 when the ZeuS Trojan stole users’ online credentials, accessing their banking services,” said Michael Nizich, director of the NSA/DHS CAE Cyber Defense Education Program at the New York Institute of Technology. Trojan horse malware tricks users into installing it, appearing to be a legitimate program.
ZeuS logged computer keystrokes and grabbed Web forms people filled out to steal banking login data. Russian cybercriminal Evgeniy Bogachev distributed ZeuS in conjunction with bad actors who sent spam and phishing emails with links to the infected websites.
In 2011, password and file stealer Pony, a.k.a. Fareit, enabled cybercriminals to gain unauthorized access to apps and Web browsers and steal files. In 2018, the Vidar infostealer Trojan appeared on dark web forums as a Malware-as-a-Service (MaaS) offering. It stole login, credit card, and cryptocurrency (crypto) wallet data. Crypto wallets store cryptographic keys—secret codes that scramble and unscramble information to keep it secure—to access and manage cryptocurrency like Bitcoin. MaaS offers malicious software and services for a fee.
As with other malware, infostealer families evolve as malware programmers create, use, and market the initial software or MaaS, then alter the code to add features and avoid detection in future attacks. The evolution of Raccoon infostealer into Raccoon V2 is a good example (more below).
“The primary developers of infostealer [malware] families are typically Russian cybercriminals with expertise in malware development. Just recently, a prominent infostealer family’s developer [pleaded guilty], and another one was charged,” said Gal.
Ukrainian national Mark Sokolovsky pleaded guilty in a U.S. federal court in Austin, TX, to conspiring to operate the Raccoon Infostealer MaaS platform, according to an October 2024 U.S. Justice Department media release. Criminals leased Raccoon using cryptocurrency, then used phishing techniques to install it on user computers, where they collected login credentials and personal and financial information. Cybercriminals used the Raccoon Infostealer in the NPD breach.
U.S. law enforcement charged Russian native Maxim Rudometov with developing the RedLine Infostealer, which captures data from apps, browsers, and crypto wallets. Rudometov is accused of making RedLine available as a MaaS offering via posts to dark web forums to cybercriminals who subscribed to the service. According to an October 2024 Justice Department media release, RedLine Infostealer has infected millions of devices globally and stolen login credentials and financial information from millions of victims. The charges followed the success of international law enforcement’s Operation Magnus, which targeted RedLine with participants from several global police forces.
According to Ronen Ahdut, head of managed detection and response at cybersecurity firm Cynet, Sokolovsky’s arrest in 2022 only temporarily halted Raccoon’s operations; Sokolovsky’s associates quickly regrouped and launched Raccoon V2 with enhanced capabilities that same year.
According to an eSentire blog post, the Russian cybercriminal CrydBrox distributed the AZORult RAT Trojan infostealer, which surfaced in 2016. AZORult combined keylogging, form grabbing, and file stealing to rob crypto wallets and steal browser cookies to hijack Web sessions. CrydBrox shut down AZORult in 2018; AZORult reappeared early in 2024.
Determining the exact number of infostealers that remain undetected using traditional or even next-gen antivirus and antimalware tools is impossible. However, for the first six months of 2024, at least 54% of devices infected with infostealer malware had antivirus or endpoint detection and response (EDR) solutions installed at the time of successful malware infection, according to Trevor Hilligoss, senior vice president of SpyCloud Labs at SpyCloud, a cybercrime analytics company.
The infostealer command-and-control (C2) servers that run the malware use bulletproof hosting services and are difficult to shut down. Bulletproof Web hosting services offer anonymous, illegal web hosting. The hosters take no personal information from the cybercriminals, maintain the hosting outside legal jurisdictions, allow unrestricted content, and protect cybercriminals against attacks on the hosted malicious services. According to Paul Laudanski, director of security research at Onapsis, an SAP cybersecurity vendor, bulletproof hosting locations that are poor at responding to abuse complaints host C2 servers that orchestrate infostealers.
Bulletproof hosting services are located in Russia, China, Eastern European countries, offshore jurisdictions, and wherever Internet laws or enforcement are less restrictive. “We have seen [bulletproof hosting] in Eastern Europe and Asia throughout the decades,” said Laudanski.
According to Laudanski, attacks using C2 servers and infostealers have morphed over time to include Domain Generation Algorithms (DGAs) and Double Domain Generation Algorithms (DDGAs), where the algorithms determine their own domains (Web addresses) on the fly to avoid detection. These temporary, random domains last only hours or days and disappear as new ones go live. Examples look like this: a45tg6hjk8.example.net (DGAs) and qwer1234.randomdomain.top (DDGAs). These domains are difficult to detect due to their high volume and constant changes.
Crypto wallets and exchanges are prime targets for infostealers because of the high economic reward and the relative ease of theft and concealment of the attacks.
“The first thing [criminal] hackers do when infecting a computer with an infostealer is [look] for ways to steal cryptocurrency found on the computer,” said Gal. Modern infostealers offer a wide range of support in stealing various cryptocurrencies, Gad said; for example, infostealers extract private security keys that protect cryptocurrencies, hijack computer and smartphone clipboards that contain crypto account addresses, and steal crypto wallet files.
“We’re dealing with the financial industry and billions of dollars,” said CJ Miller, CEO of Dypto Crypto, a cryptocurrency education company. Miller said that with billions of dollars for cybercrime groups and nation-states to target, these large sums increase the overall payout, enabling bigger entities with more resources dedicated to these exploitations. “North Korea’s organized hacker group specifically targets crypto entities,” said Miller, explaining it is an entirely government-funded program aimed at attacking these vulnerabilities.
According to Julia Burlingham, recovery specialist at Professional Crypto Recovery, a crypto wallet recovery service, criminal hackers target users of Centralized Finance (CeFi) exchanges like Coinbase, using phishing emails from fake exchange representatives. These fake representatives get targets to log in to a link where the criminals can access their digital assets.
These CeFi exchanges are like traditional banks for cryptocurrencies; they are online platforms that facilitate buying and selling cryptocurrencies. They are vulnerable because they store large sums in centralized wallets.
Criminals have targeted hot wallets like MetaMask, which new traders use as a browser extension on their smartphones to swap crypto, Burlingham said. “All they had to do was wait for a user to connect to public Wi-Fi, which was pretty common until users wised up, and hack the wallet. [They would] take the funds and essentially wash it through a platform like Tornado Cash to make it untraceable,” said Burlingham.
Hot wallets are connected to the Internet and vulnerable to hacking. Tornado Cash mixes people’s cryptocurrency, severing the link between the source and destination, allowing users to make anonymous transactions. Criminals use it for money laundering. In 2022, the U.S. banned Tornado Cash.
As with more formidable security tools, Web browser security measures are of little comfort when infostealers invade computers.
Said Cynet’s Ahdut, “Infostealers employ various techniques to evade detection by modern browser security features. [Redline Stealer] can disable or modify antivirus tools and add directories for exclusions in Windows Defender, allowing it to operate undetected. Infostealers like Vidar and Raccoon use sophisticated methods to avoid virtual environments and sandboxing, ensuring they only execute on real user systems.”
Redline tweaks Microsoft Windows Defender security so it doesn’t scan the file directories the stealer uses. Redline sidesteps the virtual environments (called sandboxes) that browsers and other security tools use to detonate (execute) suspected malware to see what it does.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment