The market for infostealing malware remains strong, with reports indicating that the number of logs for sale on underground forums has continued to increase. The Russian Market underground forum has seen a 150% increase in logs for sale, from two million in a day in June 2022 to five million in February 2023, according to a report by Secureworks. In addition, between June 2021 and May 2023, the same forum saw a growth rate of 670% in logs for sale. The report also highlights the three most pervasive infostealing threats: Raccoon, Vidar, and Redline.
KELA, a cyber intelligence company, has also released a report on the state of the criminal market for infostealers. Its report, “Delving into the emerging infostealers of 2023,” identifies rising infostealers such as Titan, LummaC2, and WhiteSnake. The new infostealers are traded extensively in automated botnet marketplaces and in Telegram channels, which have become increasingly attractive to the underworld and state intelligence services. Titan is the cheapest stealer, available for USD 120 per month as a monthly subscription, while the most expensive is LummaC2, which can be purchased for USD 250 per month. WhiteSnake and StealC can be purchased for USD 140 and USD 200, respectively.
The infostealing problem has prompted cybersecurity experts to call for more effective detection tools. “With the increase in info-stealing malware, visibility into the communication patterns coming out of an enterprise is increasingly important, across both corporate and production environments, to ensure that anomalous outbound communications are identified, inspected, and shut down quickly and efficiently,” said Dave Ratner, CEO of HYAS. Aside from preventing the malware from breaching the environment in the first place, he believes that visibility into outgoing communications is the best protection for organizations and will contribute to driving true business resiliency strategies in the face of cyber threats.
Secureworks’ report also emphasized the importance of tools to aid in parsing logs. Researchers and analysts have noted that these tools are expected to increase in popularity in the future. More support will be needed to help organizations sift through the large amounts of data generated by malware-infected systems. Parsing will be key since infostealing threats are among the most difficult to detect, given that they aim to remain undetected on victims’ systems for as long as possible in order to harvest more data.
The fight against infostealers may have achieved some successes, with some illegal marketplaces like Genesis Market and RaidForums facing legal action, leading to a slowdown in underground market activity. The increased uptake of Telegram, however, is a cause for concern since the platform is known to be a favored medium for cybercriminals. Reports have revealed that underground forums are being replaced by encrypted messaging applications for the distribution of stolen data. The shift is a sign that cybercriminals are adopting more sophisticated means to avoid detection.
There is no doubt that the market for infostealing malware is a well-established commodity, with even the most expensive types priced at a fraction of the potential returns from successful heists. The infostealing threats pose one of the most significant risks in the cybersecurity landscape, and businesses need to take note of the latest developments in the market. It’s important to secure the enterprise and production environment from the malware, as well as establish visibility over outbound communications to mitigate the potential harm of falling victim to an infostealer. By understanding the potential threats and by adopting best practices in cybersecurity, organizations will be better prepared to overcome the challenges posed by the ever-evolving world of cybercrime.