Infostealer malware, which consist of code that infects devices without the user’s knowledge and steals data, remains widely available to buy through underground forums and marketplaces, with the volume of logs, or collections of stolen data, available for sale increasing at alarming rates, according to Secureworks.
On Russian Market alone, the overall growth was 670% between June 2021 and May 2023.
“Infostealers are a natural choice for cybercriminals who are looking to rapidly gain access to businesses and then monetize that access,” said Don Smith, VP threat research, Secureworks CTU.
“They are readily available for purchase, and within as little as 60 seconds of installation on an infected computer will immediately generate a return on investment in the form of stolen credentials and other sensitive information. However, what has really changed the game, as far as infostealers are concerned, is improvements in the various ways that criminals use to trick users into installing them. That, coupled with the development of dedicated marketplaces for the sale and purchase of this stolen data, has really upped the ante,” added Smith.
Infostealer malware market
Secureworks researchers analyzed the latest trends in the underground infostealer market, including how this type of malware is becoming more sophisticated and difficult to detect, posing a challenge for defenders of corporate networks. Key findings include:
The number of infostealer logs for sale on underground forums continues to increase over time. On Russian Market alone, the number of logs for sale increased by 150% in less than nine months, from two million on a single day in June 2022 to over five million on a single day in late February 2023.
In a period of nearly 2 years (measured on a single day in June 2021 and single day in May 2023) the overall growth rate for the number of logs for sale on Russian Market was 670%.
Russian Market remains the top seller for infostealer logs. At the time of this report, Russian Market offers five million logs for sale which is around ten times more that its nearest rival 2easy. It is well-established among Russian cybercriminals and used extensively by threat actors worldwide. Russian Market recently added logs from three new stealers, which suggests that the site is actively adapting to the ever-changing e-crime landscape.
Raccoon, Vidar and Redline continue to be among the top three infostealer logs for sale. On a single day in February, the number of logs, or data sets of stolen credentials, among these popular infostealers on Russian Market for sale were:
- Raccoon: 2,114,549
- Vidar: 1,816,800
- Redline: 1,415,458
Cybercriminals adapt to law enforcement pressure
Recent law enforcement action against Genesis Market and Raid Forums has impacted cybercriminals’ behaviour. Telegram has been a beneficiary of this, with more buying and selling of logs for popular stealers such as RedLine, Anubis, SpiderMan and Oski Stealer shifting to dedicated Telegram channels. Despite the arrests of multiple users and the takedown of 11 domains associated with Genesis Market, the Tor site remains operational with logs still available for sale.
However, activity on the marketplace has all but dried up, as criminals have begun discussing the situation on underground forums, expressing doubts about the marketplace’s trustworthiness.
A growing market has emerged to meet the demand for after-action tools that help with log parsing, a manual and challenging task often left for more experienced cybercriminals. As the number of infostealers and available logs increases, it is anticipated that these tools will continue to become more popular and help to lower the bar for entry.
Much like the general cybercrime ecosystem, the successful development and deployment of infostealers relies on individuals with a broad range of skills, roles and responsibilities. The rise of malware-as-a-service has fostered innovation among developers to improve their products and appeal to a wider range of customers.
Preordering stolen credentials
For example, Russian Market now offers users the option to preorder stolen credentials for a specific organization, business, or application, and all that is required is $1,000 deposit into the site escrow system. The pre-order service comes with no guarantees, but it enables cybercriminals to graduate from being opportunistic to targeted.
“What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially lucrative for relatively low skilled threat actors to get involved. Coordinated global action by law enforcement is having some impact, but cybercriminals are adept at reshaping their routes to market,” continued Smith.
“Ensuring that you implement multi-factor authentication to minimize the damage caused by the theft of credentials, being careful about who can install third-party software and where it is downloaded from, and implementing comprehensive monitoring across host, network and cloud are all key aspects of a successful defense against the threat of infostealers,” concluded Smith.
Infostealers can easily be installed on a computer or device via phishing, infected websites, malicious software downloads and Google ads. In 2022, stolen credentials accounted for almost one in ten of the incident response engagements Secureworks was involved in and from April 2022 to April 2023, were the initial access vector (IAV) for over a third (34%) of ransomware engagements.