As part of our ongoing efforts to raise awareness among users and organizations in the region about Internet vulnerabilities and promote best cybersecurity practices, today we will be sharing information about infostealers. We have observed a rise in this type of cybersecurity threat, so we believe it is essential to alert and prepare the technical community.
Infostealers are one of the cyberthreats that can cause us the most damage, as they have the ability to steal our system access credentials, i.e., the username and password associated with an account.
What is an infostealer? Infostealers are a type of malware designed to collect access credentials for the purpose of exfiltrating sensitive information.
Their main goal is to gather access credentials to various systems, for example, those automatically saved in browsers, banking and financial information, personal identification numbers, and others. They can also collect information from web browsers, email clients, and other applications.
How do they work? Infostealers are spread through various means, primarily through phishing email messages (the most common method), malicious attachments, infected websites, software vulnerabilities, or pirated software, regardless of whether the device has active antivirus protection.
The stolen credentials are often sold on black markets or on social networks frequented by cybercriminals.
(Free access, no subscription required)
Top infostealers. According to the LACNIC CSIRT observatory, RedLine, Raccoon, and Lumma are the leading infostealer families in our region. In fact, RedLine accounts for almost 50% of all incidents.
The three malware families use various techniques to collect data from infected computers in order to steal access credentials and later sell them on the black market. The following image shows their distribution.
It should be noted that “Other” includes 14.6% of generic stealers, which are developed to steal a wide variety of data.
Top infostealers. According to the LACNIC CSIRT observatory, RedLine, Raccoon, and Lumma are the leading infostealer families in our region. In fact, RedLine accounts for almost 50% of all incidents.
The three malware families use various techniques to collect data from infected computers in order to steal access credentials and later sell them on the black market. The following image shows their distribution.
It should be noted that “Other” includes 14.6% of generic stealers, which are developed to steal a wide variety of data.
Protecting our information. Our most important asset is information, whether personal or that of our organization. This is why we must protect it and why it is important to practice safe online behavior. We must pay attention while browsing and ensure that all actors —including developers, professionals, and users— consider Internet security a shared responsibility.
Recommendations
Avoid practices that can put our equipment, devices, and data, especially our passwords, at risk.
Pay attention before opening an email or downloading an attachment. Phishing techniques are designed to convince users to open, click on, and download malicious emails.
Educate users about phishing and other social engineering tactics.
Use strong and robust passwords; avoid saving them in your browsers.
Use two-factor authentication whenever possible. A password combined with multi-factor authentication creates a double layer of protection.
If the system is infected by malware, try to isolate the infected device(s).
Once the problem is detected, it is necessary to address it and protect any of the organization’s environments that might have been compromised.
Be careful and report if you detect or suspect that access credentials have been compromised. In addition to changing your password at the slightest suspicion, those potentially affected should immediately report to their organization’s CSIRT or, if unavailable, to their IT department.
Our CSIRT is available to report security incidents and threats involving infostealers and is ready to coordinate as necessary to mitigate them. We even have a plan for organizations to develop enhancements for their critical infrastructure.
Additionally, we offer training services for professionals through the LACNIC Campus, including specific courses on security and incident management.
Our final recommendation for organizations is to implement access credential monitoring systems and indicators of compromise (IoC), implement two-factor authentication, and have a response plan in place for potential security breaches.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.
