May 19, 2023 - Technology

Law enforcement is fighting the rise of "infostealer" malware

Illustration of an opened briefcase revealing glowing asterisks inside

Illustration: Annelise Capossela/Axios

Law enforcement has set its sights on criminal marketplaces like Genesis Market over the last year as ransomware gangs have increased their reliance on stolen login credentials and malware-as-a-service to launch their attacks.

The big picture: Genesis stood out to law enforcement because it facilitated sales of stolen passwords, as well as access to bot computers already infected with so-called infostealer malware, which could be used to steal a victim’s information.

  • Last year, nearly three in 10 ransomware attacks started with attackers using a stolen password, according to Sophos' "State of Ransomware" report.

Why it matters: Infostealer malware gives cybercriminals a low-cost, guaranteed way of obtaining usable passwords and cookie information — and interest in the malware has been soaring on dark web hacker forums over the last year.

  • Rather than combing through the hordes of old passwords dumped on the dark web to find a combination that still works, cybercriminals can instead deploy this malware themselves to get fresh data — or turn to markets like Genesis to buy new data other gangs obtained using this malware.
  • While the U.S. Department of Justice seized 11 domain names tied to Genesis last month, a few reports this week suggest that the infostealer malware ecosystem is still thriving despite law enforcement's efforts.

How it works: Infostealer malware is often deployed through malicious apps or phishing links.

  • One example is a recent ChatGPT-related app scam: Hackers were able to embed infostealer malware into a fake ChatGPT browser extension that quickly siphoned any data stored in someone's browser within minutes of being installed.
  • Researchers estimated that the malware collected upward of 4 million login credentials from personal and corporate accounts.

Between the lines: Infostealer malware has been around for years, but the difference now is how many criminals are relying on the data stolen through it.

  • Before the 2021 ransomware attack on Colonial Pipeline, a lot more attacks started through malicious deployment tools, such as cracked versions of Cobalt Strike, Don Smith, vice president of threat research at SecureWorks, told Axios.
  • Now, most gangs have ditched those tools — which have also attracted law enforcement and private sector attention — in favor of stolen passwords and infostealer malware.
  • "It's growing significantly," Smith said. "It's healthy; you would almost argue that it's mature."

State of play: Genesis was one of the three go-to marketplaces for such malware and the data that criminals have stolen using it.

  • Despite the takedown, Genesis' dark web site is still operational, and criminals are still publishing new sale listings, although at a slower rate than before, researchers at SecureWorks said in a report this week.
  • Russian Market is the largest marketplace, and researchers are watching closely to see if criminals bring their business there, instead of Genesis, after the takedown. At the end of February, more than 5 million data logs were for sale on Russian Market, per the SecureWorks report.
  • 2easy — another infostealer marketplace — has been around since 2018, and as of February, as many as 750,000 browser logs were being sold on the site, SecureWorks researchers said.

Yes, but: Law enforcement's Genesis takedown still had a significant impact on trust among the marketplace's buyers and sellers, Andras Toth-Czifra, senior analyst of global intelligence at Flashpoint, told Axios.

  • "People don't know who operates it, and they're afraid that it's a honeypot," Toth-Czifra said. "Even if it's not a takedown, I don't think Genesis will come back from this."

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper