Botnet & Infostealers: Financial Threat Landscape 2023

Botnets pose a significant and insidious threat. Their resistant nature to mitigation efforts makes them particularly dangerous.

Through analysis by Swascan’s Cyber Security Team, not only have botnets that have directly affected Italian financial sector assets been identified, but also those that may have infected personal devices or those used by employees in remote work mode. Connecting to business applications from infected devices can have devastating consequences. Malware such as InfoStealers can steal login credentials, financial information, personal data, credit card information, and confidential documents.

Subsection Extra #1 depicts the results of an analysis conducted on a sample of 30 Italian banks, equally divided between “significant” and “less significant” aimed at examining the presence of compromised devices and risks from data breaches considering the period between 2022 and 2023.
In detail, between 2022 and 2023 out of the 30 banks analyzed, a total of 48,565 devices were found to be infected by InfoStealer; specifically, it went from a total of 19,806 in 2022 to 28,759 credentials exfiltrated by InfoStealer in 2023 that stole current account login credentials but at the same time financial information, personal data, credit card information, and confidential documents, an increase of 45.2 percent.

One of the main observations, then, is the evident growth in the use of InfoStealer-type malware for credential exfiltration, involving both bank employees and end customers. Overall, an amount of 105,777 infected devices belonging to internal users, external users, end customers and devices from which cookies, autofills, history and documents were exfiltrated were found.
Contrary to this trend, the use of combolists is decreasing, highlighting a transition in attackers’ tactics.
In 2023, combolists totaled 1,148 compared to 9,486 in 2022, signaling a contraction in the approach to credential list publication.

This translates into a significant percentage difference of 87.9 percent, indicating a significant decrease in the number of combolists published this year compared to the previous year. In addition, subsection Extra #2 provides an overview of the main InfoStealers identified in the context of the analysis conducted.

Finally, in subsection Extra #3 an in-depth study was conducted regarding the main motivations behind the increasing use of InfoStealer-type malware through the examination of some underground forums where such malware is offered for sale.

For further analysis:

BiBi Wiper: malware analysis 
VenomRAT & RemcosRAT: february 2024 update

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.