Malware symbol on microchips showing Info stealers and employee logins

Once The Domain of Pirated Games, “Info Stealers” Have Racked Up Hundreds of Thousands of Employee Logins

“Info stealers” such as Titan and Redline have typically preyed on individual internet users looking for pirated copies of games and software. However, a new report from Flare.io finds that they are increasingly finding their way into corporate environments, possibly as a result of increased blurring of personal and work devices. Whatever the case, the report finds that some 400,000 employee logins are available for sale on dark web sites and illicit Telegram channels.

Info stealers becoming more common on company networks

Once installed, info stealers generally compromise user web browsers and pick up on an assortment of login information. Pretty much anything saved in the web browser or entered into a field can potentially be intercepted. This includes passwords and files that are uploaded or downloaded, and many also have the ability to discreetly snap screenshots. The malware is designed to embed itself into target systems for long-term file exfiltration, using a variety of techniques to avoid detection.

The general focus of info stealers has generally been “carding,” or stealing individual credit card numbers and crypto wallet logins. While this is still very much the central demographic, a Flare review of nearly 20 million stealer logs has found that the presence of employee logins and other corporate network credentials is on the rise.

So exactly what sort of employee logins are appearing for sale courtesy of these info stealers? The biggest group appears to be OpenAI credentials, at 200,000 in total. Amazon AWS Console credentials are the next most common, with about 179,000 logs containing them found.

Salesforce and Hubspot CRM credentials were the next most common, with a total of about 66,000 found. DocuSign credentials were not far behind at about 64,000. There were also thousands to tens of thousands of logs containing Okta, QuickBooks, Gmail and Google Cloud credentials.

There is some trade on the traditional outlet of Russian-language dark web sites, but the majority of this traffic appears to have shifted to Telegram at this point. Certain channels sell the info stealer software along with access to compromised devices. Logs are generally sold for around $15 each, but if they contain employee logins or credentials for financial services they can shoot up to over $100.

Both public and private Telegram channels are available, but most of the “good stuff” is limited to private channels. The public channels that exist generally serve as an advertisement for paid private channels. These do provide terabytes of logs per month, but they are mostly filled with lower-end consumer accounts (things like Netflix or gaming site passwords). Employee logins and financial information are generally found in private channels restricted to no more than 30 or so users.

Erich Kron, Security Awareness Advocate at KnowBe4, notes that any uptick in the use of info stealers likely ties in with an increasing criminal preference for stealing employee credentials as the initial entry into networks: “Having legitimate credentials is extremely valuable for bad actors, as it can help them stay below the radar when more traditional attacks such as brute forcing could draw attention. Cyber criminals know that credentials used in one place, are also very likely to be reused with other web services or platforms.”

“This reuse of passwords can be a significant issue that people often underestimate the impact of, but it leads to the practice of credential stuffing, where a known good username and password are tried on multiple websites, using tools that are free or extremely inexpensive and leading to the compromise of email accounts, retail shopping accounts and bank accounts among others, and has been responsible for hundreds of thousands of account takeover compromises this year alone,” noted Kron.

Trade in illicit employee logins continues to grow

A deeper analysis of one particular dark web marketplace found that there were at least 46 financial institutions that had customer or employee logins up for sale within the past two years. And when a device with financial credentials on it is compromised, it tends to have about 10 times more overall credentials available (an average of 335 as compared to 35).

Leading examples of info stealers include Aurora, Raccoon, Redline, Titan, and Vidar. These are often bundled with executable files, such as games, but attackers may also attempt to pass them via phishing emails or text messages. Given that employee logins and corporate information is among the most valuable of the logs now being traded on the dark web and Telegram, it’s reasonable to assume that attackers will step up their targeted attempts on company staff (which often begin by trawling LinkedIn bios).

Info stealers have been around since at least 2006. The first major example, ZeuS, was highly focused on capturing banking credentials. One of the big ones to emerge this summer has been “Mystic Stealer,” has been increasingly spotted in attacks on organizations in possession of the financial and health records that cyber criminals are most interested in. Mystic Stealer uses some particularly sophisticated techniques to evade detection including residing entirely in system memory and deploying system calls to cover its tracks. It also allows users to easily customize it and deploy it on their own servers, and security professionals have found at least 50 active command & control servers in the wild thus far.

Though major criminal threat actors are not beyond using info stealers (Lapsus$ has been observed using Redline in the past year), they are preferred by smaller actors with less skill and infrastructure available to them as they provide a convenient all-in-one package for capturing credentials that requires little more than tricking the victim into running them. They have also seen a recent surge in popularity due to “MFA fatigue,” as targets that are constantly deluged with requests for authorization (particularly for employee logins) start blindly clicking on things just to make them go away.

Tomer Bar, VP of Security Research at SafeBreach, notes the likely connection between work-from-home and the increased presence of info stealers on corporate networks: “This analysis emphasizes the growing risk of sensitive corporate data being stolen in enterprise breaches through the use of information-stealing malware. Remote working has become more common, and since enterprises usually allow their employees to have remote access to the enterprise’s assets with only a single sign on to proceed, an exfiltration of Okta credentials may be the beginning of a complete breach. We agree with the recommendation in the analysis and would like to add that continuous security validation should also be done on all laptop and remote devices.”