Infostealers: silent thieves in the digital world
Infostealers are a particularly insidious type of malware, designed to steal personal and sensitive information stealthily and often unnoticed. These malicious programmes operate in the background, collecting data such as login credentials, financial details, browsing history and private documents. Often, infostealers manage to evade antivirus detection, exploiting obfuscation techniques and constant updates to remain hidden.
Peddling stolen credentials on Telegram: a growing black market
Telegram, the instant messaging app known for its end-to-end encryption and anonymity, has unfortunately also become a breeding ground for the illegal trade in stolen login credentials.
On Telegram, there are numerous private channels and groups dedicated to the exchange and sale of sensitive data, including usernames, passwords, credit card details, personal information, and even login credentials for corporate services such as VPNs and email. These channels often operate in a semi-public manner, requiring administrator approval for access, but once inside, users can browse through offers of stolen data mainly from infostealer infections.
Background of the incident: counterfeit software and false security
The case we are going to analyse concerns a user who, attracted by the possibility of saving money, downloaded a counterfeit version of an expensive software from a suspicious website. Despite using an up-to-date antivirus, the user fell victim to an infostealer hidden inside the pirated software. The situation was aggravated by the fact that the user was also using his home PC for work, thus also exposing sensitive business data to the risk of theft.
The incident
As soon as the user installed the counterfeit software, the infostealer started its malicious activity. Initially, the antivirus did not detect any threat, feeding the user’s false sense of security. Meanwhile, the malware began collecting a wide range of data, including user names, passwords, credit card details, browsing history and personal documents.
The situation came to a head when the infostealer stole the user’s VPN and corporate e-mail login credentials. This allowed the cybercriminals to gain access to the company’s network, subsequently moving in and exfiltrating data in order to demand a ransom from the company.
The consequences for the user were clearly severe: compromised online accounts, financial losses, reputation damage and the risk of identity theft. But the most serious repercussions were for the company, which was faced with a data breach, financial and reputational damage, as well as the costs of restoring operations and network security.
CYBEROO Incident Response team was engaged by the company to address the critical cybersecurity breach. The team swiftly responded, contained the incident, restored systems to a secure state, and implemented measures to prevent future occurrences, effectively safeguarding the organization’s digital assets and data integrity.
Cybersecurity: the importance of a proactive approach
This incident underlines the importance of taking a proactive approach to computer security. The use of counterfeit software, even when protected by antivirus software, represents an unacceptable risk. Infostealers are a real and ever-evolving threat that can evade traditional defences.
It is essential to use only original and reliable software, keep your antivirus up-to-date and adopt safe surfing practices. It is also essential to educate users about the risks of using pirated software and the importance of protecting their personal and corporate data with 24-hour managed services. IT security is a shared responsibility that requires constant commitment from everyone.
Technical analysis by Simone Marinari – Incident Response Lead, CYBEROO
