A Guide to Mitigating Infostealer Malware

History doesn’t repeat itself, but it rhymes. Infostealers, a form of malware that’s nearly as old as the internet itself, have recently emerged — or rather re-emerged — as a risk to enterprises. As a recent report from security firm Recorded Future put it, “infostealers dominated the malware landscape” in the first half of 2024, while a writer for Darkreading notes that almost a third of ransomware events were preceded by infostealer infiltrations.

So what do cyber insurance brokers and their clients need to know about this form of malware? First, let's look at the basics.

What is infostealer malware?

An infostealer is a type of malicious software designed with the primary goal of extracting valuable information from compromised systems. They can discreetly infiltrate computers, operating in the background without arousing suspicion, with the primary goal of extracting valuable information from compromised systems. They can target a range of data, including login credentials, financial information, personal identities and intellectual property. The harvested information is collected by attackers and often sold to other threat actors who will use the data to conduct additional attacks.

How Infostealers Work

There’s no one way that an infostealer works — which is one of the reasons they are difficult to uncover and defend against. (A recent story showed how even a top cyber security training company can be a victim, with a near-miss involving a threat actor’s efforts to install an infostealer on their systems.) Once an infostealer gains initial access to a device or system, often via an attachment to a phishing email or corrupt link, the malware can go about its business in several ways:

Keylogging

Infostealers can log keystrokes to capture sensitive information such as passwords, credit card details, and other credentials entered by the user.

Form Grabbing

This technique involves intercepting data submitted through web forms, including online banking or e-commerce check-out pages.

Credential Theft

Infostealers can target stored login credentials saved in web browsers, email clients, or other applications, gaining access to user accounts.

Session Hijacking

By stealing session cookies from the browser, some infostealers enable attackers to bypass multi-factor authentication, using the same session cookie to impersonate a user.

Screen Capture

Infostealers may take screenshots at regular intervals or upon specific triggers, providing attackers with a visual record of the victim's activities.

When (Basic) MFA isn’t enough

Armed with usernames, passwords, or authentication cookies harvested from an infostealer’s efforts, threat actors can bypass traditional security measures such as multi-factor authentication (MFA) and gain unauthorized access to critical systems.

The risk is particularly concerning when these stolen credentials are used to access cloud environments or corporate VPNs. Once inside, attackers can move laterally across the network, exfiltrating data, launching ransomware attacks, or carrying out espionage. The stolen data may also be sold on dark web marketplaces, further fueling the cybercriminal ecosystem. 

It’s important to note that properly implemented MFA systems — especially those with additional layers of security like time-sensitive codes or biometric factors — still provide a strong defense, even against an attacker with a bevy of sensitive data. Weaker MFA implementations, like those that rely on session tokens or SMS, are most likely to be exploited.

The BYD Dilemma: Personal Devices as a Corporate Weak Point

A contributing factor in the recent emergence of infostealers is the now frequent, casual use of personal devices for professional purposes. In today’s hybrid work environments, it is not uncommon for employees to access their work emails or other corporate resources from their home computers or smartphones, opening a door to cybercriminals who target these less-protected devices.

A common scenario involves users unknowingly installing pirated software laced with infostealers on their personal devices, the kind of suspicious software would have been easily flagged or rejected by corporate network security. They can also come from malicious websites, phishing emails, drive-by downloads, or infected attachments. In some cases, family members, such as children, install risky programs, exposing the entire system to infostealers. This then becomes an enterprise-level issue when company assets are accessed via that personal device. What starts as a personal security risk quickly evolves into a corporate cybersecurity threat when these credentials are used to breach company networks.

Strengthening the Defense Against Infostealers

Because infostealers offer threat actors flexibility in the techniques deployed and the type of attacks that can ensue, to effectively defend against them businesses need to take a proactive and comprehensive approach to cybersecurity. Here are the key steps to strengthen defenses:

Monitor Endpoints with EDR Solutions

Deploy Endpoint Detection and Response (EDR) tools can monitor corporate devices for signs of malware, such as infostealers, and block them.

Implement strong Multi-Factor Authentication (MFA)

Require MFA for all access to corporate systems, especially for remote work environments.

• This adds an extra layer of protection even if credentials are stolen, though MFA should be implemented with an authenticator app or a hardware token, rather than relying on SMS or email alone.

Email Security

Use a reliable email security provider to block any malicious email attachments that might contain infostealer malware.

The Path Forward and (Slight) Silver Lining

Extra vigilance is required in a world where, thanks to infostealers, many threat actors have enough data at their disposal to successfully unlock critical systems, even ones that are protected with what were once gold-standard security measures. But the silver lining, if only a slight one, is that infostealer activity can be detected, as we saw in the case mentioned earlier of the security awareness company that had a near-miss. Any detected infostealer activity should be taken as a signal to immediately remediate by resetting credentials; quick action can potentially prevent an incursion from even getting to the point of a ransom being demanded. Following the steps above to prevent a successful infostealer attack, and rapid response in the event of a detected incursion, should be priorities for any organization concerned with preventing ransomware today.

This post is intended for general guidance and informational purposes only. This post is under no circumstances intended to be used or considered as specific insurance or information security advice. This post is not to be considered an objective or independent explanation of the matters contained herein. The use of any services and the implementation of any product or practices referenced in this post is at the customer’s sole discretion. Corvus. disclaims all warranties, express or implied.