What is stealer malware?

Stealer malware is a type of Trojan malware that is designed to steal sensitive information from a victim's computer, including:

• Login credentials for online accounts, such as banking, social media, and email accounts.
• Financial information, such as credit card numbers and bank account numbers.
• Personal information, such as names, addresses, and Social Security numbers.
• Intellectual property, such as trade secrets and customer data.

Stealers are often distributed through phishing email attachments and links, malicious websites, and even infected USB drives.

Stealer malware is a serious threat to businesses and individuals alike. It can not only compromise victims’ privacy but also enable threat actors to undertake further harmful activities, such as ransomware attacks or data breaches.

What can a stealer do to a computer?

The core functionality of stealer malware can vary depending on its type. However, the most common features include:

• Information theft: Such malware can steal a wide range of sensitive data from an infected computer, including passwords and credit card numbers, email contacts, messaging app data, browser history and cookies.
• File theft: It can also exfiltrate personal files and business files from the compromised computer to the attacker’s server.
• Recording keystrokes: Many stealers are equipped with the ability to track the keyboard activity of the victim.
• Taking screenshots: Stealer malware can take screenshots of the victim's computer screen.
• Spreading through network connections: Some types of stealer malware can spread to other computers on the same network.
• Cryptocurrency theft: Stealer malware can be used to get hold of victims’ crypto.
• Dropping other malware: Some stealers can have an additional functionality of deploying extra payloads on the infected system.

Some types of stealer malware can be designed for a specific purpose. For instance, Laplas Clipper is a form of stealer that exclusively targets cryptocurrency users. This malicious operation involves gaining access to the clipboard in order to identify cryptocurrency addresses. The attacker then manipulates the addresses by replacing them with similar ones, deceiving the victim into unknowingly sending their funds directly into the attacker's wallet.

How do stealers spread?

In the case of stealer malware, phishing emails constitute the main attacker vector employed by threat actors. They create and distribute deceptive and fraudulent emails that aim to trick unsuspecting recipients into taking actions that could compromise their digital security. Most of the time, such messages mimic those sent by trusted sources, such as banks or popular online services, making them difficult to identify.

Once the recipient falls prey to the phishing email and clicks on the malicious link or opens the suspicious attachment, a stealer can infiltrate their computer system, which can eventually lead to financial loss to identity theft.

Alternatively, criminals often utilize fake websites, advertised through Google Ads, as well as pirated software that has built-in malware. There are also stealers that are usually dropped by loaders, including SmokeLoader, which is a modular malicious software intended for gaining initial foothold on a compromised system to deliver other payloads, including stealers.

How can a stealer gain access to a computer?

Let’s see how a typical malware password stealer accesses a system using the sample of RedLine uploaded to the ANY.RUN sandbox for analysis. The infection chain begins with the victim downloading a malicious file, which can be an Office document or an executable (often inside an archive).

Once the user launches the file, an execution process begins, which leads to the stealer being deployed on the system. The malware then creates a child process that is responsible for the malicious activity itself. This can involve stealing information from the compromised including passwords, and sending the collected data to the command and control server (C2) operated by the attacker. The information transmitted can be encrypted.

The lifecycle of RedLine demonstrated by ANY.RUN

What are examples of the most persistent stealers today?

The ever-evolving threat landscape is constantly shifting, with stealers that are popular today potentially disappearing completely tomorrow. To stay updated on the latest developments in malware and collect new IOCs and samples, utilize ANY.RUN’s Malware Trends Tracker.

These are the most persistent stealers according to the service:

• RedLine: This stealer poses a significant threat to users by collecting their private information and distributing various damaging programs. It is a versatile malware that can pull data from browsers and other applications.
• Formbook: It is an infostealer that is available as a service practically to anyone who is interested in how to get the password stealer malware. FormBook is designed to extract different types of information from compromised systems. Additionally, it has the ability to search for, access, and manipulate files, as well as capture screenshots.
• Arkei: Another stealer available as a Malware-as-a-Service that, once installed, is capable of pulling browser autosave forms, login credentials and passwords, files, and cryptocurrency wallets from the infected machine.
• Agent Tesla: A spyware, which discreetly gathers data regarding the activities of its targets by capturing keystrokes and monitoring user interactions. It is deceptively promoted as genuine software. See how Agent Tesla infection takes place and collect IOCs using its sample uploaded to ANY.RUN.

Agent Tesla’s process tree demonstrated by ANY.RUN

How can I detect a stealer?

Stealers are an extremely widespread type of malware that is often challenging to detect because of their evasive behavior. On top of that, due to lax security policies, many organizations fall victim to phishing campaigns that cause their information to be exposed to attackers.

To prevent infection, organizations have to maintain strong security posture including by using sandboxing solutions. By uploading any suspicious file or URL to the ANY.RUN malware sandbox, you can quickly identify whether they pose any threat, as well as receive a stealer malware intelligence report containing IOCs and other information required for future detection.

ANY.RUN lets users interact with files, links, and the infected system in a safe VM environment like they would on a normal computer to ensure comprehensive analysis.

Try ANY.RUN for free – request a demo!