Information stealers are a well-established commodity product traded in the criminal-to-criminal marketplace.
Infostealers in the C2C market.
Secureworks and KELA have both reported on the state of the market for infostealing malware.
Secureworks: a look at the importance of parsing logs.
Secureworks released a threat report Tuesday discussing “The Growing Threat from Infostealers,” which details the impact of infostealing malware on the cyber threat ecosystem. Logs from infostealers that have taken user data continue to see an increase as time draws on. On the Russian Market underground forum, the total amount of logs for sale increased by 150%, from two million in a day in June of last year, to five million in February of this year. The overall growth rate for the Russian Market forum was also rather notable, with a growth rate of 670% in logs for sale in two years (between June 2021 and May of 2023). Raccoon, Vidar and Redline remain the most pervasive infostealing threats. Legal action against the Genesis Market and RaidForums has slowed underground market activity. Telegram has also benefited from this change, as more logs are being traded over the messaging platform. There is also, researchers report, an increased need for tools to aid in parsing logs once the data is received. Tools with this capability are expected to increase in popularity in the future.
KELA: new commodities in the C2C market.
KELA has also released a report on the state of the criminal market for infostealers. "Delving into the emerging infostealers of 2023" outlines the rise, especially, of Titan, LummaC2, and WhiteSnake. They're traded extensively in automated botnet marketplaces, and also, significantly, in Telegram channels, which have become increasingly attractive to the underworld and their protectors and collaborators in some state intelligence services. What would it cost you to subscribe to an infostealer in the C2C market? "The new stealers are offered at similar prices as older popular ones," KELA writes. "The cheapest stealer is Titan which can be purchased for USD 120 per month as a monthly subscription, while the most expensive is LummaC2, which is available for USD 250 per month. WhiteSnake and StealC can be purchased for USD 140 and USD 200 respectively."
A plea for visibility into outgoing communications.
Dave Ratner, CEO of HYAS, argues that visibility into outgoing communications is vital to mitigating the risk of infostealers. "With the increase in info-stealing malware, visibility into the communication patterns coming out of an enterprise is increasingly important, across both corporate and production environments, to ensure that anomalous outbound communications are identified, inspected, and shut down quickly and efficiently," he said. "Other than preventing the malware from breaching the environment in the first place, this can be the best protection for an organization and drive a true business resiliency strategy."