What is an infostealer?
Infostealers are lightweight malware that silently extract passwords, session cookies, authentication tokens, autofill data, cryptocurrency wallets, and other sensitive information, then exfiltrate them to an attacker-controlled server. They are highly successful because most infections are self-inflicted, coming from users who intentionally execute fake installers, fake captcha prompts, cracked/pirated software, game mods, or "free" software that provide a pathway for the compromise to execute. Once executed, the malware exfiltrates everything instantly, leaving almost no artifacts for antivirus tools to detect. The reason is that they use native OS components and common tools built into each platform, such as PowerShell on Windows, bash, terminal, and osascript on macOS, along with curl on both platforms to collect and siphon credentials. These actions appear as normal user or system activity to virus/malware scanners both during and after execution. So don't bother wasting time on virus/malware scans, as they will likely find nothing.
How to recover from an infostealer compromise?
I have dissected several variants of infostealers and found that architecturally they are identical in how they operate, so the steps below apply to any variant. Follow the steps in the exact order specified to effectively recover from an infostealer compromise.
1. Revoke active sessions: This is the most critical step that most people miss. If done immediately after you realize you ran an infostealer, there is a very good chance your account compromise will be minimal or, if you are lucky, unsuccessful, assuming you did not provide the admin password during stage2 run (it would have asked you for password). Many victims falsely assume or are misinformed that changing a password (step 2 below), will take care of revoking sessions, which is not true for all services. Since this is an extremely time critical step strictly limited to just invalidating the hijacked session(s), do not waste time finding a clean device if you do not have one handy because using the same device immediately is actually the better option. Navigate to each of your online service where you may have logged in already and revoke all sessions from all devices. If the service challenges you for a username and password, skip it because that service is perfectly fine and move to the next one. Depending on your email service, whether it is Microsoft, Google, or Apple, they all provide a way to sign out of all devices, but the steps may vary.
- Google: Navigate to https://myaccount.google.com/device-activity and select each device and choose Sign out.
- Microsoft: Navigate to https://account.microsoft.com/ and scroll to Security then Additional security options and choose Sign out everywhere.
- Apple: Apple makes this much harder than Google or Microsoft. It does not give consumers any UI to revoke browser sessions, app sessions, or Apple ID web tokens the way Google and Microsoft do. You have to do it the hard way on each device and each session manually.
Do the same for all other online accounts that allow multiple logins from multiple devices like ecommerce services, social media platforms, gaming platforms, crypto platforms and the like. One good thing to note is when it comes to online banking, most if not all revoke sessions periodically every few minutes of inactivity, but still, forcefully logging off ensures the stolen tokens are not useful to the attacker. Now, shutdown and power off the compromised device.
2. Change password: This step must be done using a device that is not compromised. Login to each of your online accounts and change your password or optionally change to a passphrase. Enable 2FA if not enabled already, preferably an authenticator app or hardware key-based method rather than SMS. Make sure there are no email forwarding rules in your email accounts. Setup a recovery email if there is not one already and finally, regenerate the backup codes.
3. Reinstall OS: If your compromised device is a PC, create a bootable media. It can be a USB stick or secondary SSD with an installable OS obtained directly from Microsoft. Now go to your compromised device BIOS settings and enable booting from the alternate drive, the USB or secondary SSD, and choose to do a complete wipe and reinstall of Windows on your primary SSD or hard drive. For a Mac, boot into recovery mode, choose Disk Utility, and select the top-level internal disk to erase. Follow that by selecting reinstall macOS. If you are unsure how to do this, there are plenty of tutorials on YouTube you can follow to accomplish this step.
4. Monitor: Monitor your credit cards, online banking, and similar financial accounts. Optionally, I recommend freezing your credit following this guide: https://blog.selvansoft.com/2023/05/howto-credit-freeze.html
5. Safety Tips: Follow as many online safety tips as possible from the blog link below. The more of them you follow, the stronger your online safety becomes. https://blog.selvansoft.com/2025/01/online-safety-tips.html
6. Advice: Stay away from installing stuff from random websites. You can assume all free/pirated software has some form of malware. There is no such thing as a safe website to download free stuff. It just does not exist, regardless of what you heard or what your buddy online told you about a software from a site being safe.

No comments:
Post a Comment