IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they have been known to steal information from chatting programs including Telegram and Discord. Some of the more popular info stealers in the wild include Redline, Raccoon, and Vidar.

The obvious threat is users’ credentials, which are often reused on different sites and, when compromised, can be utilized to either blackmail the victim or become sold on the dark web for other purposes. But the bigger threat is their ability to evade anti-virus (AV) solutions and even endpoint detection and response (EDR) platforms. This is an issue as this false negative may not be detected unless it’s specifically hunted for.

IBM’s ATDR team has been on the leading edge of identifying these and has documented, for the community, behaviors, and indicators that can be used to hunt for and/or develop custom detections to fill the gap security tools may have for this.

How do info stealers work?

IBM has observed these info stealers evolve over time but there are some specific tactics, techniques, and procedures (TTPs) to hunt for.

Initial download

These info stealers usually come in the form of a Trojan. Users download a compressed file (.zip or .rar) from either a filesharing site such as Discord, Telegram, and MediaFire or from a phishing email, in hopes of downloading a legitimate piece of software. Alternatively, it’s known these files are downloaded while users are trying to get some form of “cracked” software.

User execution

When the user decompresses and opens the folder, we often see some sort of executable that is the malicious payload. Many times, this process contains “setup” in the filename. The thought is that these executables bypass AV because they are larger files, which do not often get scanned by AV as it would take too many resources and slow down the system. Attackers pad the file, to increase its size so that it will not be scanned (more on obfuscated files here).

File behavior

Once executed, multiple things will occur. We initially see this executable reach out and establish a C2 connection. From there, we see it drop multiple Dlls. In most cases at least 6 get dropped:

  • sqlite3.dll
  • freebl3.dll
  • mozglue.dll
  • msvcp140.dll
  • nss3.dll
  • softokn3.dll
  • vcruntime140.dll

These Dlls by themselves are legitimate and native to windows, but in this case the info stealer is utilizing them for its execution. From here we see the malware access sensitive directory locations that store web information. Here are some of the directories accessed:

Microsoft Edge

*\AppData\Local\Microsoft\Edge\User Data




*\AppData\Local\Google\Chrome\User Data

Earlier in 2022, this malware would show more obvious signs of infection and we would see the malware execute commands such as:

          Command: /c copy /Y “FilePath of web info” “FilePath where to copy the information to” (usually in the temp folder)

Data exfiltration

In some cases, we will see an obvious sign of data exfiltration. A file would be created in the Temp directory, and all the information needed is then copied into said file, immediately compressed, and then exfiltrated via the pre-existing C2 connection. In some cases, this is not as obvious based on available EDR telemetry.

Malware deletion

In many cases, we’re seeing the malware delete itself once the attack is complete. As a defense evasion technique, if the hash is known, AV solutions will not detect this malware during a regularly scheduled scan since it’s deleted.

Detections and prevention techniques

Other than following best practices while surfing the internet, from a security perspective, how can we detect or stop this? As mentioned, info stealers have been known to evade AV and EDR, but there are some ways that we can detect and prevent this. Some of these will be higher fidelity than others but your organization can try and detect these from different stages of the attack.

Initial download

Review your organization’s need for different filesharing sites. Is there a business need to allow users to access and download files from Discord, Mediafire, and Telegram? If not, blocking access to these sites or preventing downloads will help to reduce the vectors of attack. If not so easy to do, one way to help detect this would be to hunt for the filenames and/or history of the downloads from these sites. Look for compressed file downloads with unusual file names that contain two or more of the following:

  • Setup
  • Latest
  • Pass
  • Password
  • Passw0rd
  • Main
  • Full
  • Download
  • Open

Many of these files are password protected, which is usually found in the filename ‘1234’. Look for these downloads from a filesharing site or abnormal sites. This approach may not be as fruitful long-term since you’re detecting on the initial download, not the point of compromise, especially if no user action is taken to open these files.

User execution

Detecting the initial execution of this file may be tricky and not as reliable. One possibility is to look for an executable that contains the name “setup” being initiated by one of the compression tools like 7zip or WinRAR. Setup.exe is one of the common executables that gets launched from these compressed files upon execution.

File behavior

Detecting on file behavior will be the highest fidelity to detect compromise. Looking for an executable that creates 6 or more of the Dlls shown above within a second or so. Alternatively, detecting an unsigned executable that’s establishing a network connection followed by the creation of these Dlls. Many of these file paths that the malware inspects are static, one can hunt for abnormal processes accessing those file locations. In more recent observations, we’ve seen malware utilizing Telegram as their C2 method. Look for non-browser executables establishing multiple connections to telegram (t[.]me).

Data exfiltration

A higher confidence method of detection is by the data exfiltration activity or establishment of the C2. For example, checking for network connections by processes that we wouldn’t expect this behavior from. Of course, knowing the ‘normal’ in your organization will help with understanding what shouldn’t be doing this. Look for native executables or downloaded executables that should not be doing this.

To give some specific examples, hunt for ‘instalutill.exe’ or ‘Applaunch.exe’ or ‘vbc.exe’ establishing a remote connection. This is not normal for these programs; determine what launched these applications before the network connection to get some insight.

Malware deletion

We can detect the deletion command as we have seen some consistency in the command utilized. This may not be as effective since we would alert after the malware has fully executed but helps to identify this malware in your environment. We see cmd.exe get launched and a command run with similar parameters:

Command: “cmd.exe” /c timeout /t 6 & del /f /q “FilePathToMalware” & exit

                    Flag explanations:

/c – Carry out the command then terminate

Timeout – pause command execution

/t 6 – (timeout parameter for 6 seconds)

Del – Delete

/q – Quiet mode

/f – Force deletes


Info stealers in general are not a new type of malware, but recently there has been an uptick in how often they are being utilized. Because of this, we see attacker TTPs changing rapidly to keep from being detected. Some of these have the capability of evading EDR and AV solutions, which makes these false negatives ever more important to hunt for. Many of the more common, yet effective credential stealers are being utilized including Redline, Raccoon, and Vidar.

Infection chain

IOCs (The compressed files)








More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…