What Stealers Can Collect: A Detailed Analysis of the Information

Stealer malware is one of the most significant external cybersecurity threats today. These malicious programs are designed to collect valuable information, including passwords, financial details, personal data, and more. They can steal information from various sources, including web browsers, desktop applications, and cryptocurrency wallets.

But what exactly can this malware collect? Here is a detailed analysis of the information stolen by stealers.

Malware Logs

Commonly known as malware logs, a stealer collects packages of sensitive information. A log (package) contains all the information stolen during a stealer’s operation.

What Do These Logs Contain?

By analyzing a log from a well-known stealer obtained from a distribution channel where logs are published, the following structure can be observed:

• Autofills: This directory contains text files with autofill information saved in browsers. These forms often include email addresses, passwords, home addresses, credit card details, personal data, and other sensitive information that can be highly valuable to malicious actors.
  
  

• Cookies: This directory contains text files with cookies saved in browsers. Malicious actors can exploit these cookies to access vulnerable services while authenticating as victims.
  
  

• FileGrabber: This directory contains files that match the predefined interests of the stealer, usually sensitive files. The files of interest are often configured based on their type, as attackers know that many text files, databases, images, and videos can offer benefits if stolen.
  
  

• Steam: This directory contains files with information about the Steam software installed on the infected device. Attackers are attracted to accounts from services like Steam because they can be sold to interested parties on dark markets.

• DomainsDetects.txt: A text file with recently visited domains on the infected device. This information helps attackers classify logs and determine if a device is corporate or personal.
  
  

• InstalledBrowsers.txt: A text file listing the browsers identified by the malware and their paths on the system. This information makes it easier for attackers to expand their collection and potentially exploit the software in future attacks.
  
  

• InstalledSoftware.txt: A text file with the software installed on the device as detected by the malware. Like InstalledBrowsers.txt, this information aids attackers in conducting future attacks by providing sensitive software details.
  
  

• Passwords.txt: A text file containing URLs, usernames, passwords, and applications from which the malware collected the information. These are the most desired sensitive information for attackers, as they have the highest market value.
  
  

• UserInformation.txt: A text file with details about the hardware and system of the infected device. This information is helpful for subsequent attacks and helps classify the source of the information.
  
  

• Screenshots: Screenshots taken at the moment the information was collected. These help the attacker identify installed software that the malware may not have detected through InstalledSoftwares.txt and other files of interest that FileGrabber might not have captured.
  
  

These are just a few examples of the information collected. Stealer malware is designed to steal a variety of personal and financial information, including:

• Passwords: They can track and capture passwords stored on infected devices, including those for email, social media, and online banking.
• Credit Card Numbers: They can search for and capture credit card numbers stored on infected devices, including those saved in browsers or e-commerce apps.
• Banking Data: They can track and capture banking information, including account balances and recent transactions.
• Personal Information: They can track and capture personal information such as names, addresses, phone numbers, and personal identification details.
  
  

Browsing Information: They can track and capture the user’s browsing activities, including browsing history, cookies, and form data.

Points of Concern

Stealers also collect access information to corporate environments, such as credentials for RDP, VPN, SMB, FTP services, and others stored on the infected device.

Access obtained by stealers is frequently used in subsequent attacks, such as ransomware and theft of sensitive information.

In addition to monitoring the deep and dark web for exposed information, having a specialized platform, like Axur’s, can help mitigate impacts and respond quickly to threats like this.

The Crucial Role of MSSPs in Defending Against Stealer Malware

Managed Security Service Providers (MSSPs) are essential in safeguarding businesses and their clients from the significant threat of stealer malware. By leveraging an advanced external cybersecurity platform, MSSPs provide continuous monitoring, real-time threat detection, and quick  response to potential breaches. By utilizing sophisticated tools and platforms like Axur's, MSSPs can proactively identify and mitigate the risks associated with stealer malware, ensuring that their clients' sensitive information remains secure. This proactive approach helps businesses maintain the trust of their customers while effectively combating sophisticated cyber threats.