- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Infostealers boost the malware market
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Infostealers boost the malware market
Compromised endpoints—which underground actors have bundled and sold as so-called “bots”—contain login credentials,
sensitive system information and cookie sessions. Actors siphon this information from victims’ machines using credential-stealing malware and sell it on Dark Web marketplaces for as little as US$10 to US$200.
Accenture research shows that marketplaces for endpoint access threaten the majority of medium-to-large corporations across industries and geographic regions, which face exposure directly through a corporation’s own networks or through third party compromises.
Information stealers (malicious software known as infostealers) are typically designed to obtain (that is, access or copy) credentials with functionality beyond basic keylogging. This could include usernames, passwords, keys, tokens, cookie sessions and so on.
Infostealers are highly active
As of November 2021, based on available data, the most utilized infostealers providing underground marketplace inventory are
Redline (53%), Vidar (35%), Taurus (4%), Racoon (4%) and Azorult (2%) (see Figure 4). However, Accenture also found informationstealing campaigns active in June to November 2021 using Qakbot and NanoCore most often (see Figure 5).
Infostealer popularity varies
Data collection biases partially explain the discrepancy between the infostealer actors used in then-active campaigns and those they used to feed marketplaces with inventory. Yet, this inconsistency also showcases underground marketplaces’ reliance on newer infostealers, while established groups rely on tried and tested infostealers. And while Redline only makes up 4% of the market share, the use of this infostealer is growing at a faster rate than the others. Redline has gained popularity following its involvement in the July 2021 Tokyo Olympic ticket data breach.14 Redline infects systems through a loader installed by malicious Microsoft Word or Excel documents in phishing emails or social media messages.15
Here are some ways your organization can position itself to address malicious software:
• Protect corporate environments:
Accenture research shows that while marketplace infostealers have infected both corporate and private machines,
the latter creates greater exposure for both if it is able to synchronize with corporate infrastructure. This synchronization
enables infostealers to increasingly avoid security measures that strict corporate environments provide and enables
infostealers to remain in victims’ systems longer, updating scraped information as that information changes over time.
• Be aware of the growing “bots” business:
The number of so-called “bots” (tools that incorporate the functionality of login credentials, cookie sessions and “plugs” which enable the easy use of stolen data via a browser plug-in) for sale on underground marketplaces has increased steadily since 2017—from approximately 76,000 “bots” for sale between December 2017 and December 2019 to more than 11 million “bots”
for sale between December 2019 and November 2021. Accenture attributes this rapid rise to the remote working environment, accelerated by the COVID-19 pandemic and greater use of multi-factor authentication (MFA), which has increased the utility and value of these “bots.” Depending on a corporation’s security posture, these “bots” can grant direct access to affected systems or provide skilled actors an easier way into networks. Stealing an active cookie session makes “bots” significantly
more effective than using compromised login credentials alone. As a result, ransomware groups, business email compromise rings and data extortionists commonly use endpoint marketplaces, with Accenture and other cybersecurity organizations attributing multiple recent attacks to the endpoint market.16