Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data.

Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The stolen information is then exfiltrated to the attacker’s command-and-control (C2) server for further exploitation.

Information stealer malware has flourished on underground criminal networks. With extortion currently thriving, info stealer malware is also on the rise. Plus, info stealer services for financial fraud attacks are available on the dark web for as little as $200 per month.

Though this type of malware has been around in some form for over two decades, the ZeuS trojan was by far one of the most influential info stealers in that timeframe. Let’s take a look at the history of info stealers, and how this type of threat impacted cybersecurity then and now.

What was the first info stealer?

One of the earliest known examples of a successful information stealer attack was the Melissa virus in 1999. One of the first highly successful email worms, Melissa spread rapidly through the use of infected Microsoft Word macros. The worm arrived in the form of an email with an attached document named “list.doc.”

When the recipient opened the attachment, the worm infected the victim’s computer and continued to spread. It replicated itself by sending infected emails to the first 50 contacts in the victim’s Microsoft Outlook address book. Experts categorize Melissa as an info stealer because, in addition to its worm-like behavior, it also accessed the victim’s email address book and harvested email addresses.

Harvesting information from the infected computer is a hallmark of info stealer malware. However, it’s worth noting that Melissa was primarily a self-replicating worm. The information-stealing capability was a secondary feature. Threat actors design more recent info stealer malware with the primary purpose of stealing sensitive information, often with the goal of committing financial fraud or extortion.

The ZeuS Trojan info stealer

While Melissa was the first email worm, ZeuS was the first true information stealer used in an intent-to-harvest-data attack. First discovered in 2007, the ZeuS trojan malware became one of the most prevalent information stealers ever.

The main objective of the malware was to steal online banking credentials. ZeuS used a variety of techniques — including keylogging and form grabbing — to steal sensitive information from infected computers. Malicious actors then used that stolen information to perform unauthorized transfers from the victims’ bank accounts to the attacker’s accounts.

The malware could identify when a user visited specific websites, particularly those related to banking, and record the keystrokes entered during login. ZeuS also affected mobile devices running Android, Symbian and Blackberry. It is known for being the first malware to steal Mobile Transaction Authentication Numbers (mTANs), a type of two-factor authentication used by banks during transactions. These mTANs are typically unique, 6-digit numbers sent via SMS.

ZeuS had various methods for stealing sensitive information. These included capturing keystrokes, collecting data entered into web forms, taking screenshots when the mouse is clicked and executing man-in-the-browser (MiTB) attacks. MiTB attacks manipulate web forms to request personal information such as social security numbers or bank PINs.

ZeuS marked a significant turning point in the evolution of info stealers and demonstrated their growing sophistication. Since then, numerous other information stealers have been discovered, including SpyEye, Citadel and Emotet, which continue to be used for financial fraud on a massive scale.

Other famous info stealers

Information stealers typically spread through phishing emails, malicious links, attachments, infected software downloads or unpatched software vulnerabilities. Attackers use them for various malicious purposes, such as identity theft, financial fraud or the sale of sensitive information on the black market.

Other significant information stealer incidents since the emergence of Melissa and ZeuS include:

  1. SpyEye: A banking Trojan active between 2009 and 2012. It stole victims’ personal and financial information through web injects, keystroke loggers and credit card grabbers. Criminals then transmitted the stolen data to the C2 servers to commit fraud.
  2. Conficker: A worm that spread rapidly across computer networks starting in 2008 and exfiltrated sensitive information, including login credentials and personal information. Conficker reportedly infected 10 million computers.
  3. CryptoLocker: A ransomware variant from 2013 that encrypted files on a victim’s computer and demanded payment in exchange for the decryption key.
  4. GameOver Zeus: A variant of ZeuS that malicious actors used to steal banking credentials and to distribute other types of malware, including ransomware.
  5. Emotet: A banking Trojan detected in 2014 used in numerous large-scale attacks aimed at stealing financial information from individuals and businesses. The U.S. Department of Homeland Security estimates the cost of Emotet cleanup is around one million U.S. dollars per incident.

The impact of ZeuS and info stealers on cybersecurity

The rise of information stealers has led to a shift in the focus of cybersecurity efforts towards protecting against data theft rather than just protecting against malware and other forms of malicious software. This resulted in the widespread adoption of strong authentication methods, such as two-factor authentication, and increased investment in security technologies, such as intrusion detection systems.

The rise of information stealers has increased the focus on creating secure payment systems. Banks have since deployed stronger online security measures, such as enhanced fraud detection capabilities and improved encryption.

How to thwart info stealer attacks

Some of the common steps that companies took to defend against ZeuS malware included:

  1. Installing anti-virus software: Companies installed and regularly updated anti-virus software to detect and prevent the spread of ZeuS.
  2. Implementing firewalls: Effective firewalls blocked unauthorized access to their computer networks to prevent ZeuS infection.
  3. Using application whitelisting: Application whitelisting allowed only approved applications to run on their computers, helping to prevent the execution of malicious software.
  4. Updating software regularly: Companies kept all software, including operating systems and applications, up to date to prevent ZeuS and other malicious software from exploiting vulnerabilities in outdated software.
  5. User education: Organizations educated users about the dangers of malware and how to avoid falling victim to this type of attack. This included training users to be cautious when opening attachments from unknown sources and to avoid public Wi-Fi networks.
  6. Network segmentation: Segregating sensitive information and systems from the rest of their networks helped prevent malware from accessing sensitive information.
  7. Two-factor authentication: Companies implemented two-factor authentication to add an extra layer of security to online accounts and to prevent ZeuS from accessing sensitive information, even if it had stolen login credentials.
  8. Deploying intrusion detection systems: Intrusion detection systems monitored their networks for signs of ZeuS and other malicious activity.

Beyond ZeuS

As per Malwarebytes, in 2011, the source code for ZeuS was leaked. Cyber criminals began creating new ZeuS-based information stealers. Citadel, GameOver, Panda Banker, Terdot, Floki and Sphinx are some of the known ZeuS variants to date. As info stealers continue to inhabit the threat landscape, robust anti-stealer security is imperative.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…