Infostealer

In cybercrime, credential theft is a well-known mechanism through which malicious individuals steal personal information, such as usernames, passwords, or cookies, to illegitimately gain access to a victim's online accounts and computer. This crime typically unfolds in four stages, with the first being the acquisition of the stolen credentials. Infostealers are a specific type of malware that are designed for this initial stage. They usually consist of two distinct parts: the bot framework and a command and control server, often known as the management panel or interface. The management interface primarily functions as a web server to which the infostealer sends confidential information. The interface also provides the attacker with information about the status of deployed infostealers and allows the attacker to control their behaviour. == Distribution and use ==

Infostealers are commonly distributed through the malware-as-a-service (MaaS) model, enabling individuals with varying technical knowledge to deploy these malicious programs. Under this model, three distinct groups typically emerge: developers, malware service providers, and operators. Developers, the most technically skilled, write the infostealer code. Malware service providers purchase licenses for the malware and offer it as a service to other cybercriminals. The operators, who can be developers or service providers themselves depending on their skill level, use these services to perform credential theft. Once the malware is purchased, it is spread to target victim machines using various social engineering techniques. Phishing, including spear phishing campaigns that target specific victims, is commonly employed. Infostealers are commonly embedded in email attachments or malicious links that link to websites that perform drive-by downloads. Additionally, they are often bundled with compromised or malicious browser extensions, infected game cheating packages, and pirated or otherwise compromised software. Credentials obtained from infostealer attacks are often distributed as logs or credential dumps, typically shared on paste sites like Pastebin, where cybercriminals may offer free samples, or sold in bulk on underground hacking forums, often for amounts as low as US$10. Buyers of these stolen credentials usually log in to assess their value, particularly looking for credentials associated with financial services or linked to other credentials with similar patterns, as these are especially valuable. High-value credentials are often sold to other cybercriminals at higher prices. These credentials may then be used for various crimes, including financial fraud, integrating the credentials into zombie networks and reputation-boosting operations, Additionally, some cybercriminals use stolen credentials for social engineering attacks, impersonating the original owner to claim they have been a victim of a crime and soliciting money from the victim's contacts. Many buyers of these stolen credentials take precautions to maintain access for longer periods, such as changing passwords and using Tor networks to obscure their locations, which helps avoid detection by services that might otherwise identify and shut down the stolen credentials. == Features ==

An infostealer's primary function is to exfiltrate sensitive information about the victim to an attacker's command-and-control servers. The exact type of data that is exfiltrated will depend on the data-stealing features enabled by the operator and the specific variant of infostealer used. Most infostealers, however, do contain functionality to harvest a variety of information about the host operating system, as well as system settings and user profiles. Some more advanced infostealers include the capability to introduce secondary malware, such as remote access trojans and ransomware. They found that the malware automatically exfiltrated all data stored in a computer's protected storage service (which was usually used by Internet Explorer to store passwords) and tries to capture any passwords sent to the computer using the POP3 and FTP protocols. In addition to this, the malware allowed the researchers to define a set of configuration files to specify a list of web injections to perform on a user's computer as well as another configuration file that controlled which web URLs the malware would monitor. Another configuration also allowed the researchers to define a set of rules that could be used to test if additional HTTP requests contained passwords or other sensitive information. More recently, in 2020, researchers at the Eindhoven University of Technology conducted a study analysing the information available for sale on the underground credential black market impaas.ru. As part of their study, they were able to replicate the workings of a version of the AZORult infostealer. Amongst the functions discovered by the researchers was a builder, which allowed operators to define what kind of data would be stolen. The researchers also found evidence of plugins that stole a user's browsing history, a customisable regex-based mechanism that allows the attacker to retrieve arbitrary files from a user's computer, a browser password extractor module, a module to extract Skype history, and a module to find and exfiltrate cryptocurrency wallet files. == Economics and impact ==

Setting up an infostealer operation has become increasingly accessible due to the proliferation of stealer-as-a-service enterprises, significantly lowering financial and technical barriers. This makes it feasible for even less sophisticated cybercriminals to engage in such activities. For the service providers running these stealer operations, the researchers estimated that a typical infostealer operator incurs only a few one-off costs: the license to use the infostealer, which is obtained from a malware developer, and the registration fee for the domain used to host the command-and-control server. The primary ongoing cost incurred by these operators is the cost associated with hosting the servers. Based on these calculations, the researchers concluded that the stealer-as-a-service business model is extremely profitable, with many operators achieving profit margins of over 90% with revenues in the high thousands of dollars. Due to their extreme profitability and accessibility, the number of cybersecurity incidents that involve infostealers has risen. In 2023, research by Secureworks discovered that the number of infostealer logs, or data exfiltrated from each computer, increased from 2 million to 5 million logs from June 2022 to February 2023 on the Russian Market, the biggest underground cyberforum. In 2024, infostealers were used to steal 2.1 billion credentials, over 60% of the 3.2 billion credentials stolen from all organizations. Infostealers are heavily utilized because of their low cost, with an average cost of $200 per month in 2024. In February 2025, it was reported by Hudson Rock that infostealers had compromised email accounts and credentials across multiple US government and military departments, including the FBI. == References ==