# Infostealers > Malware especializado na coleta e exfiltração silenciosa de informações valiosas: credenciais salvas em browsers, carteiras de criptomoeda, tokens de sessao, dados de cartao de credito e documentos sensiveis. Alimentam o ecossistema de Initial Access Brokers (IABs) que vendem acesso corporativo a grupos ransomware. > [!danger] Vetor Critico para Acesso Corporativo > Infostealers como Lumma Stealer, RedLine e Vidar operam em escala massiva como **MaaS (Malware-as-a-Service)**. Credenciais roubadas por infostealers sao vendidas em marketplaces underground e usadas por grupos ransomware para acesso inicial corporativo - este pipeline e responsavel por grande parte dos ataques ransomware bem-sucedidos. ## Como Funcionam Infostealers sao projetados para velocidade: executam, coletam o máximo possível e exfiltram em segundos, minimizando o tempo de exposicao no sistema. ```mermaid graph TB A["🎣 Entrega<br/>MalSpam / Crack de software / YouTube"] --> B["⚡ Execucao Rapida<br/>Sem persistencia / In-memory"] B --> C["🔍 Coleta Automatizada<br/>Browser passwords / Cookies / Wallets"] C --> D["📋 Agregacao Local<br/>Comprime e criptografa tudo"] D --> E["📤 Exfiltracao<br/>Telegram / Discord / HTTPS"] E --> F["💾 Log File<br/>Arquivo ZIP com todas as credenciais"] F --> G["🛒 Venda Underground<br/>Genesis Market / Russian Market"] G --> H["🚪 Acesso Corporativo<br/>VPN / RDP / Cloud"] style A fill:#e74c3c,color:#fff style B fill:#e67e22,color:#fff style C fill:#f39c12,color:#fff style D fill:#d35400,color:#fff style E fill:#8e44ad,color:#fff style F fill:#2980b9,color:#fff style G fill:#c0392b,color:#fff style H fill:#922b21,color:#fff ``` **Categorias de dados coletados:** - **Credenciais de browser** - Senhas salvas em Chrome, Firefox, Edge, Brave - **Cookies de sessao** - Permite acesso a contas sem senha (session hijacking) - **Carteiras crypto** - Seeds, private keys de Bitcoin, Ethereum e outras - **Documentos sensiveis** - PDFs, Word, planilhas encontrados no sistema - **Dados de software** - VPNs, FTP clients, SSH keys, tokens de API ## Familias Catalogadas %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome", status AS "Status", first-seen AS "Primeira Vez" FROM "cti/software/malware/infostealers" WHERE type = "malware" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nome", status AS "Status", first-seen AS "Primeira Vez" FROM "cti/software/malware/infostealers" WHERE type = "malware" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nome", status AS "Status", first-seen AS "Primeira Vez" FROM "cti/software/malware/infostealers" WHERE type = "malware" SORT title ASC --> | Nome | Status | Primeira Vez | | ------------------------------------------------------------------------------- | -------- | ------------------ | | [[s0331-agent-tesla\|Agent Tesla]] | active | 2014 | | [[arkei\|Arkei Stealer]] | active | 2018 | | [[cti/software/malware/infostealers/aurora-stealer.md\|Aurora Stealer]] | active | 2022 | | [[s0344-azorult\|AZORult]] | active | January 01, 2016 | | [[s0089-blackenergy\|BlackEnergy]] | inactive | 2007 | | [[s0657-bluelight\|BLUELIGHT]] | active | | | [[s0454-cadelspy\|Cadelspy]] | active | | | [[s0261-catchamas\|Catchamas]] | active | | | [[s0631-chaes\|Chaes]] | active | | | [[cookieminer\|CookieMiner]] | active | | | [[s0050-cosmicduke\|CosmicDuke]] | active | | | [[cryptbot\|CryptBot]] | active | 2019 | | [[s1153-cuckoo-stealer\|Cuckoo Stealer]] | active | | | [[darkcasino\|DarkCasino]] | active | 2018 | | [[cti/software/malware/infostealers/dewmode.md\|DEWMODE]] | inactive | January 01, 2021 | | [[s0514-formbook\|Formbook]] | active | 2016 | | [[hawkeye\|HawkEye]] | active | 2013 | | [[s1022-iceapple\|IceApple]] | active | | | [[ikitten\|iKitten]] | inactive | February 01, 2017 | | [[s1245-invisibleferret\|InvisibleFerret]] | active | | | [[isrstealer\|ISRStealer]] | active | 2016 | | [[s0288-keyraider\|KeyRaider]] | inactive | 2015 | | [[cti/software/malware/infostealers/lemurloot.md\|LemurLoot]] | inactive | May 01, 2023 | | [[s0447-lokibot\|Lokibot]] | active | | | [[s0409-machete\|Machete]] | active | | | [[s0282-macspy\|MacSpy]] | active | | | [[s1156-manjusaka\|Manjusaka]] | active | | | [[s0652-markirat\|MarkiRAT]] | active | | | [[cti/software/malware/infostealers/mars-stealer.md\|Mars Stealer]] | active | 2021 | | [[meduza-stealer\|Meduza Stealer]] | active | June 01, 2023 | | [[meta-stealer\|META Stealer]] | active | March 01, 2022 | | [[s1146-mgbot\|MgBot]] | active | | | [[s1122-mispadu\|Mispadu]] | active | | | [[mystic-stealer\|Mystic Stealer]] | active | 2023 | | [[s1090-nightclub\|NightClub]] | active | | | [[s0453-pony\|Pony]] | active | 2011 | | [[predator-stealer\|Predator Stealer]] | active | 2018 | | [[s0113-prikormka\|Prikormka]] | active | | | [[s0279-proton\|Proton]] | active | | | [[s0686-quietsieve\|QuietSieve]] | active | | | [[s1148-raccoon-stealer\|Raccoon Stealer]] | active | 2019 | | [[s1240-redline-stealer\|RedLine Stealer]] | inactive | 2020 | | [[s0375-remexi\|Remexi]] | active | | | [[rhadamanthys\|Rhadamanthys]] | active | September 01, 2022 | | [[risepro\|RisePro]] | active | December 01, 2022 | | [[s0240-rokrat\|ROKRAT]] | active | | | [[s0090-rover\|Rover]] | active | | | [[s1140-spica\|Spica]] | active | | | [[cti/software/malware/infostealers/stealc.md\|StealC]] | active | January 01, 2023 | | [[s0595-thiefquest\|ThiefQuest]] | active | | | [[s0004-tinyzbot\|TinyZBot]] | active | | | [[s1201-translatext\|TRANSLATEXT]] | active | | | [[s1196-troll-stealer\|Troll Stealer]] | active | | | [[s0130-unknown-logger\|Unknown Logger]] | active | | | [[s0476-valak\|Valak]] | inactive | October 01, 2019 | | [[cti/software/malware/infostealers/vidar-stealer.md\|Vidar Stealer]] | active | November 01, 2018 | | [[s1116-warpwire\|WARPWIRE]] | active | | | [[s0670-warzonerat\|WarzoneRAT]] | active | | | [[s0161-xagentosx\|XAgentOSX]] | active | | | [[s1207-xloader\|XLoader]] | active | | <!-- SerializedQuery END --> > [!info] Estatisticas > **13 familias** catalogadas - **12 ativas** - MaaS dominante no mercado underground - Pipeline direto para acesso ransomware ## Defesas e Mitigacoes - [[m1054-software-configuration|M1054 - Software Configuration]] - Desabilitar salvamento de senhas em browsers corporativos - [[m1032-multi-factor-authentication|M1032 - Multi-Factor Authentication]] - MFA em todos os acessos criticos - Monitorar indicadores de comprometimento em feeds threat intel (hashes, dominios C2) - Usar password managers dedicados ao inves de browsers - Rotacao periodica de credenciais e revogacao de sessoes ativas suspeitas ## Relacionados [[_malware]] - [[_groups]] - [[t1555-003-credentials-from-web-browsers|T1555.003 - Credentials from Web Browsers]] - [[t1539-steal-web-session-cookie|T1539 - Steal Web Session Cookie]] - [[t1041-exfiltration-over-c2-channel|T1041 - Exfiltration Over C2 Channel]]