IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they have been known to steal information from chatting programs including Telegram and Discord. Some of the more popular info stealers in the wild include Redline, Raccoon, and Vidar.

The obvious threat is users’ credentials, which are often reused on different sites and, when compromised, can be utilized to either blackmail the victim or become sold on the dark web for other purposes. But the bigger threat is their ability to evade anti-virus (AV) solutions and even endpoint detection and response (EDR) platforms. This is an issue as this false negative may not be detected unless it’s specifically hunted for.

IBM’s ATDR team has been on the leading edge of identifying these and has documented, for the community, behaviors, and indicators that can be used to hunt for and/or develop custom detections to fill the gap security tools may have for this.

How Do Info Stealers Work?

IBM has observed these info stealers evolve over time but there are some specific tactics, techniques, and procedures (TTPs) to hunt for.

Initial Download

These info stealers usually come in the form of a Trojan. Users download a compressed file (.zip or .rar) from either a filesharing site such as Discord, Telegram, and MediaFire or from a phishing email, in hopes of downloading a legitimate piece of software. Alternatively, it’s known these files are downloaded while users are trying to get some form of “cracked” software.

User Execution

When the user decompresses and opens the folder, we often see some sort of executable that is the malicious payload. Many times, this process contains “setup” in the filename. The thought is that these executables bypass AV because they are larger files, which do not often get scanned by AV as it would take too many resources and slow down the system. Attackers pad the file, to increase its size so that it will not be scanned (more on obfuscated files here).

File Behavior

Once executed, multiple things will occur. We initially see this executable reach out and establish a C2 connection. From there, we see it drop multiple Dlls. In most cases at least 6 get dropped:

  • sqlite3.dll
  • freebl3.dll
  • mozglue.dll
  • msvcp140.dll
  • nss3.dll
  • softokn3.dll
  • vcruntime140.dll

These Dlls by themselves are legitimate and native to windows, but in this case the info stealer is utilizing them for its execution. From here we see the malware access sensitive directory locations that store web information. Here are some of the directories accessed:

Microsoft Edge

*\AppData\Local\Microsoft\Edge\User Data




*\AppData\Local\Google\Chrome\User Data

Earlier in 2022, this malware would show more obvious signs of infection and we would see the malware execute commands such as:

          Command: /c copy /Y “FilePath of web info” “FilePath where to copy the information to” (usually in the temp folder)

Data Exfiltration

In some cases, we will see an obvious sign of data exfiltration. A file would be created in the Temp directory, and all the information needed is then copied into said file, immediately compressed, and then exfiltrated via the pre-existing C2 connection. In some cases, this is not as obvious based on available EDR telemetry.

Malware Deletion

In many cases, we’re seeing the malware delete itself once the attack is complete. As a defense evasion technique, if the hash is known, AV solutions will not detect this malware during a regularly scheduled scan since it’s deleted.

Detections and Prevention Techniques

Other than following best practices while surfing the internet, from a security perspective, how can we detect or stop this? As mentioned, info stealers have been known to evade AV and EDR, but there are some ways that we can detect and prevent this. Some of these will be higher fidelity than others but your organization can try and detect these from different stages of the attack.

Initial Download

Review your organization’s need for different filesharing sites. Is there a business need to allow users to access and download files from Discord, Mediafire, and Telegram? If not, blocking access to these sites or preventing downloads will help to reduce the vectors of attack. If not so easy to do, one way to help detect this would be to hunt for the filenames and/or history of the downloads from these sites. Look for compressed file downloads with unusual file names that contain two or more of the following:

  • Setup
  • Latest
  • Pass
  • Password
  • Passw0rd
  • Main
  • Full
  • Download
  • Open

Many of these files are password protected, which is usually found in the filename ‘1234’. Look for these downloads from a filesharing site or abnormal sites. This approach may not be as fruitful long-term since you’re detecting on the initial download, not the point of compromise, especially if no user action is taken to open these files.

User Execution

Detecting the initial execution of this file may be tricky and not as reliable. One possibility is to look for an executable that contains the name “setup” being initiated by one of the compression tools like 7zip or WinRAR. Setup.exe is one of the common executables that gets launched from these compressed files upon execution.

File Behavior

Detecting on file behavior will be the highest fidelity to detect compromise. Looking for an executable that creates 6 or more of the Dlls shown above within a second or so. Alternatively, detecting an unsigned executable that’s establishing a network connection followed by the creation of these Dlls. Many of these file paths that the malware inspects are static, one can hunt for abnormal processes accessing those file locations. In more recent observations, we’ve seen malware utilizing Telegram as their C2 method. Look for non-browser executables establishing multiple connections to telegram (t[.]me).

Data Exfiltration

A higher confidence method of detection is by the data exfiltration activity or establishment of the C2. For example, checking for network connections by processes that we wouldn’t expect this behavior from. Of course, knowing the ‘normal’ in your organization will help with understanding what shouldn’t be doing this. Look for native executables or downloaded executables that should not be doing this.

To give some specific examples, hunt for ‘instalutill.exe’ or ‘Applaunch.exe’ or ‘vbc.exe’ establishing a remote connection. This is not normal for these programs; determine what launched these applications before the network connection to get some insight.

Malware Deletion

We can detect the deletion command as we have seen some consistency in the command utilized. This may not be as effective since we would alert after the malware has fully executed but helps to identify this malware in your environment. We see cmd.exe get launched and a command run with similar parameters:

Command: “cmd.exe” /c timeout /t 6 & del /f /q “FilePathToMalware” & exit

                    Flag explanations:

/c – Carry out the command then terminate

Timeout – pause command execution

/t 6 – (timeout parameter for 6 seconds)

Del – Delete

/q – Quiet mode

/f – Force deletes


Info stealers in general are not a new type of malware, but recently there has been an uptick in how often they are being utilized. Because of this, we see attacker TTPs changing rapidly to keep from being detected. Some of these have the capability of evading EDR and AV solutions, which makes these false negatives ever more important to hunt for. Many of the more common, yet effective credential stealers are being utilized including Redline, Raccoon, and Vidar.

Infection Chain

IOCs (The Compressed Files)








More from

Cloud Workload Protection Platforms: An Essential Shield

2 min read - Businesses of all sizes increasingly rely on cloud computing to power their operations. This shift has brought with it a new set of security challenges. To protect their workloads in the cloud, many of these businesses are deploying a critical tool for cloud security: cloud workload protection platforms (CWPPs).What are Cloud Workload Protection Platforms?CWPPs are comprehensive security solutions designed specifically for cloud-based environments. They provide advanced protection and threat detection capabilities to safeguard cloud workloads and guarantee the confidentiality, integrity…

2 min read

Is Open-Source Security a Ticking Cyber Time Bomb?

4 min read - Software depends on layers of code, and much of that code comes from open-source libraries. According to an Octoverse 2022 report, open-source code is used in 97% of applications. Not only do developers embrace open source, but so do nine in 10 companies. “Open-source software is the foundation of 99% of the world’s software,” Martin Woodward, VP of developer relations at GitHub, told VentureBeat.As the foundation of just about every piece of software, every application or device runs on code that…

4 min read

Threat Sharing Evolution: How Groups Offer Less Risk and Better Intelligence to Members

16 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. In 2019, the World Economic Forum advocated for increased threat intelligence sharing by arguing that cybersecurity is a “public good.” Meaning, if organizations — both public and private — share threat information across groups, everyone has a clearer picture of the threat landscape and with it, the ability to better defend against increasingly aggressive and sophisticated threat actors. In response, multiple threat-sharing groups have sprung to life,…

16 min read

How to Manage Cyber Risk During Mergers and Acquisitions

4 min read - By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on…

4 min read