Infostealers: the Widespread Threat From Information-Stealing Malware

LastPass Labs is the content hub for the Threat Intelligence, Mitigation and Escalations (TIME) team at LastPass. Our focus is in-depth analysis of the latest security developments, a keen eye toward forward-looking tech, and unique threat perspectives. 

While ransomware may continue to dominate the headlines, an insidious form of malware known as infostealers (short for information-stealing malware) is actually far more common, impacting everything from major corporations to individual home computers. Infostealers target sensitive information on infected systems, including passwords, crypto wallets, session cookies, financial details, and other personal data for quick exfiltration back to the threat actor.   Many infostealers are offered for sale as a “malware-as-a-service (MaaS),” in which criminals can purchase a subscription (often for several hundred dollars a month) for access to the malware for their own targeting and use, while maintenance and hosting of the malware remains in the hands of the developer offering it for sale.  This helps lower the technological barrier to entry for cybercriminals, leading to the rapid expansion of infostealers as a broader cyber threat. 

How are victims infected?

Victims can be infected via several methods, including phishing emails, visiting an infected website, or through fraudulent apps. Once a computer or network has been infected, the malware will execute, seeking to rapidly identify and exfiltrate critical information (including, when possible, LastPass master passwords) from browsers and other important folders. Threat actors will then either use this data to gain access to sensitive accounts themselves, or repackage the information for sale on markets, forums, or other criminal sites.  Prices currently average approximately $10 per log and there are millions of logs available for sale at any given time, demonstrating the widespread and commonplace nature of the infostealer threat. These logs include credentials and other sensitive information from victims ranging from multinational corporations to small businesses to individual personal accounts stolen from a home computer. 

What is LastPass doing about this?

To start, as part of our efforts to increase our security capabilities, LastPass has invested substantially in our cyber threat Intelligence program.  This includes building a dedicated Threat Intelligence, Mitigation, and Escalation (TIME) team, greatly expanding our threat intelligence monitoring and alerting by leveraging open source and proprietary reporting, and proactively monitoring deep and dark web sources for malicious activity. We’re also operationalizing this intelligence by automating its integration with our detection and response and vulnerability management teams, allowing for a quicker mitigation time. Finally, we have developed a dedicated and focused process for monitoring for and alerting on exposed customer credentials for customers opting into dark web monitoring. As expected, master passwords are highly valued within the infostealer community given the potential to gain access to a customer’s vault and its sensitive data and passwords. While there are dozens of infostealers available, LastPass is tracking three malware strains that commonly advertise LastPass customer credentials for sale:

• Redline: This MaaS stealer has been available since 2020 and is among the most common.
• Raccoon: Variations of this stealer have been available since 2019.
• Vidar: Available since at least 2018, this stealer is also able to take screenshots. 

LastPass is taking important steps to protect our customers’ credentials. We have recently expanded our dark web monitoring to include monitoring infostealer logs and other sources for potential LastPass customer credentials. While LastPass can’t help preventing the initial infection as it often occurs via phishing, visiting an infected website, or using a fraudulent application locally on an end user’s device, we can help protect our customers’ by informing them if we detect that their data has been stolen.

What steps can you take to protect your account?

We recommend that all LastPass users opt into our dark web monitoring program, which will provide an extra level of coverage. We will notify you if your credentials are found on the dark web. Additionally:

• Use multifactor authentication (MFA) whenever it is an option to protect your accounts.  Don’t accept or approve MFA requests that you didn’t explicitly generate. 
• Don’t trust apps offered via non-traditional channels (e.g., other than traditional app stores). 
• Use an antivirus program and update it regularly or, better yet, set it for automatic updates.
• Don’t save your master password on your device, even in browser-provided autofill options.  

LastPass will continue to improve our monitoring and reporting capabilities, and we are developing a process to proactively disrupt those malware strains targeting LastPass accounts. We are committed to keeping our customers and the larger cybersecurity community apprised of these trends, the steps we are taking to keep our customers' data safe, and the impact our efforts are making as part of our commitment to transparency.  The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team is focused on protecting our community by monitoring for, analyzing, and mitigating threats targeting our customers, our company, and our industry. The team has nearly 50 total years of intelligence and cyber experience and firmly believe in information sharing and relationship building as the key to a successful intelligence program. Our goal within LastPass is to provide timely and actionable intelligence to stakeholders that allow our security teams to protect our customers, their data, and the company. In addition to conducting analysis and informing our security teams on developments in the larger cyber threat environment, we are also working to automate our intelligence inputs into our partners’ processes and minimize the timeframe from threat awareness to mitigation.