teissTalk: Silent Swipers - unmasking info-stealers in today's threat landscape

Views on news

The recently discovered cloud-focused VoidLink malware framework is believed to have been developed by a single person with the help of an artificial intelligence model. Check Point Research published details about VoidLink last week, describing it as an advanced Linux malware framework that offers custom loaders, implants, rootkit modules for evasion, and dozens of plugins that expand its functionality. The researchers highlighted the malware framework’s sophistication, assessing that it was likely the product of Chinese developers "with strong proficiency across multiple programming languages." This seems like a natural progression from attacks enhanced by AI to ones generated by it. It’s an example of piecemeal malware generation, which spreads out code writing across a series of prompts and tasks, thus making bypassing guardrails possible. At the current stage of development, you can still tell AI generated and human made code apart, but as the attackers’ technology involves, it will get much more difficult to distinguish them. AI can speed up the process of writing code, but currently it can’t make the code itself more effective or dangerous. What it does is give the code scale and reach. Also, the infrastructure to generate malware can now be bought and sold on the dark web. AI can also handle iterations of the malware, as well as AB testing. Criminals also marry AI with automation. 

 

Infostealers

Ransomware Infostealers have been around for a long time, looking for text files with passwords or credit card information in RAM. Today, they are much faster and look for a wider array of information. It can be now any information that can help an attacker to forward their movement in a targeted environment, such as crypto wallet or clipboard data, session keys, active browser cookies and tokens used to bypass MFA. These criminals are leveraging not only genAI and agentic AI but also automation – often end-to-end – via platforms like Discord and Telegram.  

Infosteeling is now the backbone of all the different types of attacks from ransomware to supply chain attacks, to the Kaseya and Snowflake attack. The scope of high-value targets has also changed – it was crypto wallets and bank accounts; now it’s SSQ providers like Okta and Azure AD for stealing session tokens, which criminals can then replay in their browser. Logs bought from infostealers can also be customised by heckers. Cyber defence falls into three buckets: zero trust and identity governance; endpoint and browser hardening; proactive log monitoring. As for token validity, it must be reduced from weeks to hours to get better protection. There is also device binding, i.e. implementing hardware backed authentication, such as keys that tie the session to a specific device. Eliminating local admin can strengthen cyber defences too, as infostealers rely on it heavily to access information. When the workflow requires a longer session, it can be run in a VDI environment. Meanwhile, log monitoring services will reveal immediately when the corporate domain appears in stealer logs. These measures can make cyber security more proactive and detecting infostealing becomes possible prior to data being sold on to access brokers. 

Once your information gets stolen, wiping the device in itself doesn’t help, as by that time your data is out in an entire ecosystem of servers. First, you must invalidate all the active sessions, forcing a global sign-out; then you must reset all your stored credentials; finally, you need to go to  Defcom One and audit for persistence. In a BYOD or home office setting, an infection on a gaming laptop can harvest corporate session tokens, through which the attacker can get access to the corporate cloud environment without even touching the VPN. The most effective place to stop an infostealer is on execution –  when it lands on the surface

The panel’s advice

• Infostealers are now trying to steal the hallway, as the hallway door is already open.
• The information that data stealers are after today include session and I&A data.
• Security always impacts the user experience and must be a risk-based decision.
• Educating users on good user hygiene and raising their awareness of phishing can go a long way.
• To strengthen your defences, make sure that everything you have is zero-trusted and have your browser activities monitored along the entire session lifecycle.
• Don’t make passwords predictable and patterned.
• Treat the browser profile as sacrosanct – don’t download extensions to it ever. Don’t share that profile with any other device.