How Infostealer Threat Actors Make a Profit

Infostealer is a type of information-stealing malware with the goal of stealing user credentials such as the user account information, cryptocurrency wallet address, and files that are saved in programs such as web browsers and email clients.

According to the ASEC report for Q3 2022, Infostealers make up more than half of malware types with executable formats reported by client companies or collected by AhnLab. As the downloader types also actually install Infostealers or backdoor-type malware, it can be said that most of the malware distributed to attack ordinary or corporate users are Infostealers.[1]

Figure 1. Malware statistics in Q3 2022

Ordinarily, Infostealers are distributed via malicious websites disguised as download pages for cracks and keygens for commercial software, or as an attachment to spam emails. The following shows the statistics of Infostealers detected in Q3 2022. AgentTesla, Formbook, Lokibot, and SnakeKeylogger were usually distributed as attachments to spam emails, whereas Redline, CryptoBot, and Vidar were distributed as downloadable files on malicious websites disguised as those for cracks or original software. Of course, there have also been cases where Vidar was distributed alongside the LockBit ransomware as an attachment to spam emails.

Figure 2. Infostealer statistics in Q3 2022

Threat actors that distribute Infostealers can misuse the account credentials collected from the infected systems in a variety of ways. For example, various user credentials including account information can be directly used in attacks or sold on the deep web to be used by other threat actors. If the attack target is a corporate user, the extorted information can be used to infiltrate corporate networks and the collected list of emails can be used in another spam email attack.

Here is a threatening email recently sent by the threat actor following the target system’s infection with an Infostealer. The Infostealer infection seems to have occurred on Wednesday, December 7th. On December 23rd, Friday, the threat actor sent the following email to the user infected with the Infostealer and had their account extorted.

Figure 3. Threatening email sent by the operator

It was sent with the subject, “Gained access to your device..” along with the name of the user’s computer. The body of the email included the extorted account information, or the list of passwords. There were two other files attached beside this, which were a PDF document file and a JPG image file. The JPG image file is seen to be a screenshot captured by the malware upon infection to let the victim know that the threat actor has taken control of the target PC. The screenshot in question shows the screen of the user reading an online article on Naver using a web browser.

Figure 4. Screenshot captured upon Infostealer infection

For reference, the feature that takes a screenshot immediately after infection and sends it to the C&C server is one supported by most Infostealers. More specifically, Infostealers such as AgentTesla[2], SnakeKeylogger[3], and RedLine[4] periodically take screenshots and send them to the C&C server when the option is enabled. Besides these, Formbook[5] also includes screenshots in the list of information to steal.

The PDF file attachment includes a message that threatens users into sending Bitcoins. The text begins by telling the user that the threat operator has currently hacked the user’s system and extorted their information and that the user has been watched for a long period of time. There is also a threat to use the collected information to create pornography and send them to the user’s acquaintances through email and social media. It then instructs the user to send $1,200 to the threat actor’s Bitcoin wallet address to stop this from happening.

Figure 5. Contents of the PDF file – 1

It continues with the message that if this amount is paid within 48 hours, the collected information and the installed malware will be deleted, and concludes by advising the user to not visit suspicious websites in the future.

Figure 6. Contents of the PDF file – 2

Additionally, searching for the aforementioned wallet address revealed that there have not been any transaction histories as of yet. However, judging by the fact that a search query with the contents of the PDF file brings up multiple results, it is likely that the threat actor has continued to threaten users in this manner since a long time ago. The wallet addresses found in the search results revealed a transaction history as shown below.

Figure 7. Transaction history of a Bitcoin wallet address used in another attack
  • Threat actor’s Bitcoin wallet address: bc1qerarqnkt0jwq0zn3z7tn7zgerkpq7k6lqrqsw8

Users must practice strict caution when handling attachments in emails from unknown sources or executables downloaded from the web. It is advised to download products including utility programs and games from their official websites.

Users should also apply the latest patch for their OS and internet browsers and update V3 to the latest version to prevent such malware infection in advance.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

0 0 votes
Article Rating

Inline Feedbacks
View all comments