IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they have been known to steal information from chatting programs including Telegram and Discord. Some of the more popular info stealers in the wild include Redline, Raccoon, and Vidar.
The obvious threat is users’ credentials, which are often reused on different sites and, when compromised, can be utilized to either blackmail the victim or become sold on the dark web for other purposes. But the bigger threat is their ability to evade anti-virus (AV) solutions and even endpoint detection and response (EDR) platforms. This is an issue as this false negative may not be detected unless it’s specifically hunted for.
IBM’s ATDR team has been on the leading edge of identifying these and has documented, for the community, behaviors, and indicators that can be used to hunt for and/or develop custom detections to fill the gap security tools may have for this.
How Do Info Stealers Work?
IBM has observed these info stealers evolve over time but there are some specific tactics, techniques, and procedures (TTPs) to hunt for.
Initial Download
These info stealers usually come in the form of a Trojan. Users download a compressed file (.zip or .rar) from either a filesharing site such as Discord, Telegram, and MediaFire or from a phishing ..
Support the originator by clicking the read the rest link below.
