SANS Webcast Recap: Infection to Remediation – Exploring the InfoStealer Kill Chain

Dec 18th 2018

While InfoStealers are hardly new, some recent developments have made them far more pervasive, more sophisticated, and more challenging to detect. In this post—condensed from a SANS webcast that he participated in— VMRay Product Manager Rohan Viegas along with SANS analyst Jake Williams discuss the mechanics of how InfoStealers work, how they’ve been commoditized for use by non-technical users, and outlines the steps enterprise organizations can take to detect and protect themselves from increasingly evasive variants.

Information Stealers (“InfoStealers”) as the name would suggest are a type of malware that gather website credentials, passwords, financial information – anything that’s personally identifiable information which can be used to compromise an account and/or be sold on the black market. Until recently, these tools required a certain degree of technical savvy to deploy and operate. But as we’ve seen with the popularity of Ransomware-as-a-Service (RaaS) model, InfoStealer tools are likewise being creatively packaged up and marketed to a broader audience of non-technical users. However, unlike RaaS tools which can typically only be found on underground forums and the Dark Web, many InfoStealer packages can be easily found with a simple Google search and purchased for a nominal amount.


Form Grabbers Get Stealthy

Form grabbers are a critical component of InfoStealers, enabling malware authors to retrieve log-in credentials and other private user information which can then be used to compromise accounts, resulting in the possible exfiltration of intellectual property or more likely, be used to incur large financial losses on businesses.

As SANS analyst Jake Williams explains in the first half of this webinar, many security teams are too complacent about the threat of InfoStealers because they believe having authenticating proxies like Multi-Factor Authentication (MFA) will mitigate these types of attacks. However, because the form grabber is injected into the browser itself, most endpoint and network controls are rendered largely ineffective. This is because once they are on a user’s machine and in the browser, the attacker can receive and act on data (i.e., an SMS code triggered by a 2FA request) before the real user can.

Says Jake, “it’s important to understand that this is not a web proxy in the network – the connection is not being intercepted so by doing just network traffic analysis you are not going to pick up the fact that there is a form grabber stealing credentials or other information out of the form. We even have an example of a PowerShell InfoStealer that we saw actively inserting a signed trusted root certificate and they were actually proxying the data. Attackers are learning how to do all of this very stealthily and network traffic analysis is probably not going to get you there.”


InfoStealers Grow in Sophistication

Formbook is an example of an InfoStealer variant currently operating – and evolving — in the wild. Unlike traditional backdoor malware, InfoStealers rely on a dedicated interface for stealing banking and financial account information. Of course, most log-in forms on a banking website don’t ask for certain private data such as a social security number or ATM Pin that an attacker might need to open a fake credit card account or wire funds out of an account. To gather this additional data, Jake shows how attackers can use web injects to modify the log-in form and request additional data from the user.

“In fact, they have even built their own language for development to standardize the way web injects are written. It’s important to remember that the people building these are not the same people using them. The Zeus malware standardized the language for writing web injects and this language has since been adopted by other malware …Cybercriminals are dealing with interoperability concerns so we have to deal with it as well.”


Delivery & Detection

We in the Infosec community might be tired of hearing about phishing after all of these years but as Jake reminds us, phishing remains the most common delivery method of InfoStealers. As we have gotten better at hardening Java and mitigating Flash vulnerabilities and browser exploits, attackers have pursued the path of least resistance, using a combination of individual and bulk targeting to deliver their malicious payloads.

From a detection standpoint, attackers are employing a variety of evasion techniques to reach their targets, which is why Jake reminds us why we cannot rely on just a single solution: “Sandbox detonation of attachments can definitely help prevent some delivery but if you are relying exclusively on a sandbox detonation just be careful… You need to be smart about doing good layered defense in depth. Attackers are getting very good about counter detection. If you do have a sandbox product, we highly recommend you tailor your analysis environment so it looks like your real environment”

Finally, Jake shows how DNS monitoring can provide a critical first line of defense since many InfoStealer variants are now being sold with the C&C (Command and Control server) address already hard coded. This is why logging DNS can be a powerful tool in identifying dynamic domains that attackers rely on to communicate with compromised machines. “We should be logging  DNS because it gives us a chance to discover an InfoStealer in the first place because in most cases we have some beaconing activity that’s going on.”



Build your own Malware

In the second half of the webinar, we discuss how InfoStealers have been made broadly accessible to attackers, the various ways in which their payloads are delivered, some of their hallmark components and associated behavioral traits, and then outline some of the key signals that can help identify them.

It’s becoming all too easy for an attacker with little to no technical chops to not just get their hands on InfoStealers but also to customize them to meet their specific requirements. They’re cheap and easy to purchase – either on underground forums or on several legitimate looking websites where malware authors are openly advertising them as ‘PC monitoring products’.

The VMRay Research Team analyzed a number of the most popular InfoStealers and the clip below shows how they package their solutions with some subscriptions available for as little as US $15 per month. These all-in-one packages include basic keystroke loggers to more comprehensive anti-detection methods to enable advanced persistency. You can find detailed reports on the most popular InfoStealers on the VMRay Featured Malware Analysis reports here.



As mentioned above, most InfoStealers are delivered by phishing or spam emails. Frequently these include an attachment of a Microsoft Word document that includes a macro or an exploit to attack a specific application vulnerability. One example that we detail is designed to take advantage of a 17 year-old macro called Equation Editor in Microsoft Word that has been largely ignored by users and the Microsoft developer community (to learn more about how attackers target these types of vulnerabilities, read this August blog post from VMRay Senior Threat Researcher, Tamas Boczan, “Forgotten MS Office Features Used to Deliver Malware”).



The most popular InfoStealer products also include a control panel interface designed to help the non-technical attacker customize core components of the malware itself. The control panel provides a high-level dashboard of all of the systems that the attacker has infiltrated, offering a convenient at-a-glance view of the client-side components of the payload (i.e., number of passwords stolen, keystrokes logged, screenshots recorded, etc.)

An intuitive wizard-based interface makes it easy to configure which capabilities an attacker might want to incorporate into the InfoStealer, including:

  • Defining the setting for remote access (i.e., entering URL of the control panel, FTP and SMTP credentials for sending stolen information back to the attacker, etc);
  • Choose logging options and frequency (i.e., keylogger, screen captures);
  • Select which applications to steal data from (i.e., browsers, mail clients);
  • Choose which processes to disable which might detect the malware (i.e., block AVs, add persistence); and
  • Customize which fake message to display (i.e., error popup, information message pop up, etc.)

We also examine some of the behavioral traits that can be customized. While these will depend on the capabilities enabled by the malware builder itself, this allows the attacker to further refine how the InfoStealer behaves once it’s been executed on an end user’s machine.

Finally, we look at the last part of the kill chain: data exfiltration. How is information being sent back to the attacker? These capabilities include custom communication protocols (AZORult families) to less sophisticated methods such as uploading data to FTP server (Hawkeye InfoStealer) or simply emailing all of the information as a text file back to the attacker.


Detecting Evasive InfoStealers

So what are the telltale signs of an InfoStealer? If you’re using a malware sandbox like VMRay, all of the analysis is performed automatically. VMRay Analyzer will show you everything the InfoStealer tried to do — from brute forcing user accounts or trying to read application data to whether it was attempting to steal cryptocurrency wallets to actually trying to connect to a remote host. As demonstrated below, the whole kill chain of an InfoStealer can be holistically analyzed using VMRay Analyzer, providing actionable intelligence to your SOC.



Finally, here are a few more recommendations for recognizing telltale signs that might be associated with an InfoStealer:

  • C2 Traffic: Some InfoStealers such as AZORrult family have distinct network traffic signatures that should be recognizable.
  • Suspicious Connections: Is there an executable file connecting to a PHP script? This is likely something that should be flagged and investigated.
  • Unusual Access: Are the cookies of a web browser being opened by something other than the web browser? More often than not this is the sign of an InfoStealer.
  • Browser Injects: As discussed above, form grabber injections into web browser have become a more common way for attackers to hijack private information 

To learn more about InfoStealers, view the full webcast Infection to Remediation: Exploring the InfoStealer Kill Chain or take a deep dive into VMRay’s research on Analyzing Location-Based Malware with Geo Anonymization.

Autonomous Response to critical malware alerts

VMRay + Palo Alto Networks       JOINT WEBINAR