Skip to main content

Infostealer Data and What to Do With It

We don't expect everyone to live and breath this kind of data like we do. Hence, the tutorial that follows.

Let's break down what's normally in a data package of this type. These are the standardized items that tend to exist regardless of what stealer executed to perform the data exfiltration.

  • Network Info
  • System Summary
  • Process List (and count)
  • Installed Apps (user specific in some cases)
  • Stored Passwords
  • Brute Force of Passwords across the system
  • Autofill data from browsers
  • Cookies & session data from browsers
  • Targeted Software

Past this normalized list, is a list of curated items that are more specific to the type of stealer. Some care more about specific software types, such as the lengthy list of various crypto wallets while others hone in on other areas, such as tokens, email clients or software development clients.

How do I use this?

Good question. Let's answer it.

Let's begin with three very important items of elements of information you need.

#1 - When did this happen?

Within the data package of exfiltrated data is numerous locations that will tell you when the data was taken. In some cases its outright obvious and the data will be logged. If its not sanitized or scrubbed out, this is a solid indicator of the date of theft. Otherwise, there are multiple locations within the data to derive the date. We enumerate those ways that we derive this discovery for paying members.

Knowing "when" something was taken is crucial to effect a proper response. Yesterday as a time frame could drive an IR event, while something from 2-years ago may only get a shrug. Having the time frame is critical, which is why in the layers of analysis we put on top of the data, we consider this a crucial data point to convey.

#2- Who was affected?

Again, the data package holds the keys to unlock this secret. Again, its an open secret in some cases, where the company name is obvious and prominently present. That's a lower proportion, sadly, than the majority, where it is less clear. This is where key information, such as the IP Address, person, running processes and similar items help paint this picture. We enumerate those ways that we derive this discovery for paying members.

#3- What is the impact?

The most complicated and yet most critical element to derive. Effectively, you need to know "how bad it is" to take the appropriate actions.

Auto-fill Data

Way too many people store data accidentally or purposely in their browser or in operating system. Its a convenience factor that both the OS and browser constantly offer to make your life easier. It also gets you into trouble when you lose it. Members get this information in spades, but know that payment info, personal info, saved passwords, form data, addresses, card data, downloads and dozens of other items are stored in this way. And, taken when an infostealer executes on the system.

Bookmarks

Simpler, but equally as dangerous. Think for a moment the items you bookmark. The general behavior is to use a bookmark to save something for later or to earmark a location you return to regularly. On corporate machines, this tends to focus on key internal or external resources, shining a light into where those exist – and how to access them.

Keys, tokens and similar things

We have to get into things and those accesses leave behind a trail of active and discarded token, keys, and other things we use to get into or stay logged-into software, platforms, and systems. A good example here is the session token to stay logged into your O365 account for 30, 60 or 90 days.

Access Data

I'm purposefully avoiding calling this "just" passwords and emails here. Mainly because it misses the breadth of access information taken. Phone numbers, for example, are a key item taken. These are used in such a myriad number of ways that combining a phone number with the yet password, token or access key means you can open a broad variety of doors. API keys are another, with similar twists on how dangerous it can. SSH information can open access to a privileged server or data store. Cloud access tokens could take down your entire enterprise.