The rise of the info stealers

Shai Alfasi (Reason Security) & Dana Yosifovich (Reason Security)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

Since the outbreak of COVID-19, we’ve seen a wave of social engineering attacks abusing the sensitive situation in order to create infections all over the world. We’re seeing attackers focusing more on info-stealing malware and less on communications malware. In many cases, we waited to see a second stage, however, we instead bumped into hit-and-runs. Frequently, users are left with few to no IOCs, so they never even realize their details have been snatched.

The stealer can come from any dubious source, and because it can constantly change communication channels to exfiltrate the data, it can evade AV detection. The number of suspicion-arousing actions in these cases is very small, and the attack takes a very short time. The malware author doesn't have to worry about hiding the malware for a long period - it just needs to get through the door undetected, and leave.

Take, for example, the famous COVID-19 map infostealer virus that weaponized coronavirus map applications in order to steal credentials such as usernames, passwords, credit card numbers and other sensitive information that is stored in users’ browsers. Attackers can use this information for many other operations, for example selling it on the deep web or for gaining access to bank accounts or social media.

In this presentation, we will talk about the different info stealers that we have seen and the different social engineering campaigns that were very smart and creative. We will demonstrate that today’s attackers are aiming to create malware quickly in order to seize opportunities. We will also focus on how attackers are using different living-off-the-land binaries in order to achieve higher privileges that will allow them to extract more information from the victim machine. We will demonstrate some of the techniques by examining the TroyStealer virus.
Shai Alfasi
Reason Security Shai Alfasi has been a security researcher for seven years with experience in reverse engineering x86, malware research, forensics and incident response. He has experience of providing training to corporate clients around the world, and today leads the security research team at ReasonLabs, which develops anti-virus for private clients and SMBs.
Dana Yosifovich
Reason Security Dana Yosifovich has been a security researcher for seven years, with experience of defending both big organizations and innocent individuals. She previously worked at the cybersecurity centre of the Israeli Navy and was responsible for its defence, blue team in blood. Now, she investigates malware and fends it off at Reason Security. A huge fan of data and making it work for us.
arrow left Back

The rise of the info stealers

Shai Alfasi (Reason Security) & Dana Yosifovich (Reason Security)
Since the outbreak of COVID-19, we’ve seen a wave of social engineering attacks abusing the sensitive situation in order to create infections all over the world. We’re seeing attackers focusing more on info-stealing malware and less on communications malware. In many cases, we waited to see a second stage, however, we instead bumped into hit-and-runs. Frequently, users are left with few to no IOCs, so they never even realize their details have been snatched.

The stealer can come from any dubious source, and because it can constantly change communication channels to exfiltrate the data, it can evade AV detection. The number of suspicion-arousing actions in these cases is very small, and the attack takes a very short time. The malware author doesn't have to worry about hiding the malware for a long period - it just needs to get through the door undetected, and leave.

Take, for example, the famous COVID-19 map infostealer virus that weaponized coronavirus map applications in order to steal credentials such as usernames, passwords, credit card numbers and other sensitive information that is stored in users’ browsers. Attackers can use this information for many other operations, for example selling it on the deep web or for gaining access to bank accounts or social media.

In this presentation, we will talk about the different info stealers that we have seen and the different social engineering campaigns that were very smart and creative. We will demonstrate that today’s attackers are aiming to create malware quickly in order to seize opportunities. We will also focus on how attackers are using different living-off-the-land binaries in order to achieve higher privileges that will allow them to extract more information from the victim machine. We will demonstrate some of the techniques by examining the TroyStealer virus.
Shai Alfasi
Reason Security Shai Alfasi has been a security researcher for seven years with experience in reverse engineering x86, malware research, forensics and incident response. He has experience of providing training to corporate clients around the world, and today leads the security research team at ReasonLabs, which develops anti-virus for private clients and SMBs.
Dana Yosifovich
Reason Security Dana Yosifovich has been a security researcher for seven years, with experience of defending both big organizations and innocent individuals. She previously worked at the cybersecurity centre of the Israeli Navy and was responsible for its defence, blue team in blood. Now, she investigates malware and fends it off at Reason Security. A huge fan of data and making it work for us.