Full Report
Inexpensive information-stealing malware surged in 2024, infecting 23 million hosts, according to Flashpoint. The post Infostealers fueled cyberattacks and snagged 2.1B credentials last year appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Information Stealers (General Malware Family)
## Overview
Information Stealers (Infostealers) are malware designed to harvest sensitive data from infected machines, including credentials, session cookies, credit card information, cryptocurrency wallets, and system details. They are frequently used as initial access vectors for ransomware campaigns, account takeovers, and supply chain attacks due to their low cost and ease of use.
## Technical Details
- Type: Malware family
- Platform: Primarily Microsoft Windows; some variants target macOS.
- Capabilities: Harvesting system information, saved credit cards, cryptocurrency wallets, browser autofill data, account credentials, and active session cookies. Delivery of harvested data via compressed files to a remote server.
- First Seen: Context implies ongoing, prevalent use, with massive impact observed in 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1189 - Drive-by Compromise
- T1204 - User Execution
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0009 - Collection
- T1005 - Data from Local System
- T1555 - Credentials from Password Stores
- T1083 - File and Directory Discovery
## Functionality
### Core Capabilities
- Harvesting system information and saved browser data (credentials, credit cards, autofill).
- Targeted collection of information from registry keys and file directories.
- Compressing collected data into a single archive.
- Sending the compressed archive to a remote command and control (C2) server.
### Advanced Features
- Designed to circumvent specific security controls and avoid detection.
- Used to facilitate lateral movement and privilege escalation in subsequent attack stages by providing stolen credentials.
- Low cost ($200/month average) and high accessibility on underground forums, acting as a "force multiplier."
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context, common names vary by specific strain]
- Registry Keys: Targeting relevant registry keys associated with stored credentials/system configuration.
- Network Indicators: Communication to remote servers for data exfiltration (specific IOCs not provided).
- Behavioral Indicators: Large data collection followed by compressed packaging and outbound connection to a host outside normal operational parameters. Infiltration often via phishing or secondary malware payloads.
## Associated Threat Actors
Multiple threat actors use commercially available infostealers to fuel operations, including those launching ransomware attacks and those targeting critical infrastructure/supply chains (e.g., attacks resulting in Snowflake credential exposure).
## Detection Methods
- Signature-based detection: Signatures for known malware strains (e.g., Redline, Vidar).
- Behavioral detection: Monitoring for unusual reading/compression of browser profile folders, credential stores, or large outbound transfers following initial compromise.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- Implement robust Endpoint Detection and Response (EDR) solutions capable of detecting malware staging and data compression activities.
- Enforce Multi-Factor Authentication (MFA) universally to mitigate the impact of stolen credentials.
- User awareness training for phishing and safe software download practices.
- Regularly audit and secure identity and access management systems.
## Related Tools/Techniques
- **Specific Strains Mentioned:** Redline, RisePro, SteaC, Lumma Stealer, Meta Stealer, Vidar, Racoon.
- **Related Attacks:** Ransomware deployment, supply chain targeting, breaches leveraging stolen credentials against cloud providers (e.g., Snowflake customer environments).
***
# Tool/Technique: Redline Stealer
## Overview
Redline is a specific, highly prolific information-stealing malware strain tracked in 2024. It was responsible for a significant percentage of observed infostealer infections globally.
## Technical Details
- Type: Malware family (Infostealer strain)
- Platform: Primarily Microsoft Windows (implied)
- Capabilities: Stealing credentials, system information, and browser artifacts for subsequent malicious use. Infection highly correlated with large-scale credential theft operations.
- First Seen: Active and highly prolific in 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- TA0009 - Collection
- TA0010 - Exfiltration
## Functionality
### Core Capabilities
- Data collection from infected hosts.
### Advanced Features
- High infection volume: Infected 9.9 million hosts, representing 43% of all infostealer infections analyzed by Flashpoint in 2024.
- Associated with credential harvesting later used in major incident campaigns (e.g., targeting Snowflake customers).
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: [Not specified in the context]
- Network Indicators: C2 communications for exfiltration (specific IOCs not provided).
- Behavioral Indicators: High volume of system file/browser profile access on potentially compromised Windows hosts.
## Associated Threat Actors
Threat actors utilizing off-the-shelf infostealers, contributing to large breaches.
## Detection Methods
- Signature matching against known Redline samples.
- Behavioral monitoring for characteristic file access patterns associated with credential harvesting.
## Mitigation Strategies
- Standard infostealer mitigation: MFA, network segmentation, and robust endpoint security.
## Related Tools/Techniques
- RisePro, SteaC, Lumma Stealer, Meta Stealer, Vidar, Racoon (Other high-volume infostealers operating concurrently).
***
# Tool/Technique: RisePro, SteaC, Lumma Stealer, Meta Stealer
## Overview
These four strains represent the next four most prolific information stealers tracked by Flashpoint in 2024, collectively infecting approximately 7 million hosts, indicating widespread use in initial access operations.
## Technical Details
- Type: Malware family (Infostealer strains)
- Platform: Primarily Microsoft Windows
- Capabilities: Information theft, credential harvesting, often used as initial access for secondary attacks like ransomware.
- First Seen: Active and prolific in 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- TA0009 - Collection
- TA0010 - Exfiltration
## Functionality
### Core Capabilities
- Stealing system information, credentials, and browser data.
### Advanced Features
- High volume compared to other strains, indicating active development or commercial success on illicit markets.
- Credentials harvested by RisePro, Lumma Stealer, and Meta Stealer (along with Vidar and Racoon) were linked to major incidents impacting Snowflake environments.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: [Not specified in the context]
- Network Indicators: C2 communications necessary for data exfiltration.
- Behavioral Indicators: System fingerprinting and targeted searches for sensitive files/browser databases.
## Associated Threat Actors
Threat actors purchasing or operating these readily available malware kits.
## Detection Methods
- Detection via behavioral analysis focusing on credential access and archival/exfiltration.
## Mitigation Strategies
- Proactive endpoint protection and strict application control policies.
## Related Tools/Techniques
- Redline (the most prolific strain), Vidar, Racoon.