June 21, 2023 | Text: Markus Selinger | Antivirus for Windows

Security from Data Stealers: So Sensitive Data won't end up on the Darknet

APT groups often exploit vulnerabilities or attack via spear phishing and try to install a data stealer. Once that has been accomplished, sensitive data is transferred and used for blackmail. Good security products either fend off the attacks directly or detect the unauthorized movement of data and block it. AV-TEST examined security products for consumer users and evaluated in its Advanced Threat Protection test just how well data stealers are detected or blocked in further steps. Some products clearly have problems, which results in loss of data.

Data stealers on the prowl –

here is how well security software fared in the test

While ransomware is typically referred to as the plague of the century, it is safe to say that data stealers are the cholera. While many attacks on large companies or institutions involve ransomware, data stealers are being deployed ever more frequently. The purpose: first attackers penetrate a system, then they steal in some cases vast volumes of data. Attacks with ransomware proceed in a similar way, but seldom are large amounts of data stolen. With ransomware, encryption also occurs on site as a final step. Ransomware, however, involves greater overhead than a data stealer, as encryptions also have to be administered, and many companies are now more effectively protected against ransomware thanks to intelligent backups.

That is why many groups use data stealers: they penetrate systems, steal, i.e. extract, the data and begin the blackmail. Unless payment is made immediately, the attackers make the first data packets public already after a few days, in order to build up more pressure. Afterwards, a second countdown to payment begins. If the company still refuses to pay – which indeed it ought to – the data is sold in the Darknet or all of it is made public.

24 protection solutions against data stealers

In its Advanced Threat Protection test in January and February 2023, the lab at AV-TEST evaluated 24 protection solutions under Windows 10 for consumer users and corporate users against data stealers. In the process, the products were required to detect the attackers or, in further steps, stop them with various defensive techniques and to protect the systems in 10 scenarios. For each step within a scenario, such as detection or use of additional techniques, the laboratory awards up to 4 points. Thus, the products are able to achieve up to 40 points for their protection score. Among the security packages for consumer users, 9 of the 11 products evaluated did just that. Among the solutions for companies, 10 out of the 13 test candidates completed the test with the maximum point score of 40.

All the security solutions evaluated in the test received a special security certificate, as they achieved 75 percent of the maximum 40 points – thus 30 points. Consumer user products receive the "Advanced Certified" certificate, and corporate user products receive the "Advanced Approved Endpoint Protection" certificate. Only Acronis received no certificate. The product passed the test error-free, however AV-TEST only certifies products that achieve certification in the regular monthly tests and fulfilment of all their criteria.

In order to find a more detailed explanation of the evaluation tables and the individual color codes in the traffic light system please see also the article ”Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?“.

Fending off data stealers under Windows

Your data is precious! That is what cyber gangsters think, which is why they try stealing it and demanding a ransom money for it. The Advanced Threat Protection test shows how reliably security solutions provide protection

Data stealers: more protection for corporate data

Cyber gangsters use data stealers for attacking and hauling off corporate users' data – afterwards, they launch a blackmail campaign. The Advanced Threat Protection test under Windows delivers insights into how well corporate solutions protect against this type of attack

Fending off data stealers under Windows

Data stealers: more protection for corporate data

Attack steps used in the test

The Advanced Threat Protection test examines in 10 scenarios the exact procedure that would also unfold during an attack with a data stealer against a corporate user or a consumer user. The attack steps are explained in the 10 scenario charts. Also listed there are the internationally defined "Techniques" codes from MITRE ATT&CK. Based on this data, experts can precisely track how an attack proceeds.

All attacks in the scenarios follow the same initial pattern: an e-mail containing a spear phishing attack reaches the user. Each e-mail has an attachment concealing various latest attack methods, such as a LNK file or an archive with EXE, batch, SFX files or an HTML or HTA file. As soon as these are launched, the actual attack unfolds over various further steps, e.g. via the PowerShell from Windows or with scripts. After additional attack steps and a scan of the drives, the extraction of data via a C2 server begins. This illustration is naturally a heavily abbreviated version of the routines occurring in practice.

The 10 test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques, for example "T1566.001", are listed in the MITRE database for "Techniques" under "Phishing: Spearphishing Attachment". Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.

Consumer user products in the Advanced Threat Protection test

The following 11 manufacturers of security packages for consumer users faced off against data stealers: AhnLab, Avira, Bitdefender, Kaspersky, Malwarebytes, McAfee, Microsoft, Microworld, Norton, PC Matic and Trend Micro.

In this test, each of the 11 products competed to achieve 4 points 10 times and earn its protection score. 9 products reached this perfect level of 40 points. They came from AhnLab, Bitdefender, Kaspersky, Malwarebytes, McAfee, Microsoft, Norton, PC Matic, and Trend Micro. They all fended off the data stealers error-free either when they were launched or already when they were trying to gain access to the system via e-mail.

Microworld and its eScan Internet Security Suite had difficulties in one scenario. It did identify, but was not able to completely stop the attacker. The data stealer was able to load a DLL file and write itself into the registry. In addition, one or several screenshots were created and sent to the C2 server. All additional steps were thwarted. For this error, Microworld lost 2 out of 4 points, coming in at what was still a good score of 38 out of 40 points.

Avira Security for Windows did not fare as well in the test. In 2 of the 10 scenarios, the respective data stealer was able to launch unhindered and to extract the data it was looking for. By the end of the test, Avira had achieved 32 out of 40 points for its protection score.

Company solutions in the Advanced Threat Protection test

Attacks by data stealers are presumably launched against solutions for corporate users much more frequently than against consumer users. After all, corporate data is much more valuable.

The security solutions from the following 10 manufacturers fended off all data stealer attacks error-free and thus received 40 points for their protection score: Acronis, AhnLab, Bitdefender (with both versions), Kaspersky (with both versions), Malwarebytes, Symantec, Trellix and Xcitium. The data stealers didn't stand a chance against the solutions.

In the case of 3 products, the results were somewhat mixed. Microsoft clearly had problems in two scenarios. In both instances, there was a positive detection, but the protection was not able to completely prevent the subsequent launch. The collection of data on the systems kept running unabated, as did its transfer to the C2 server. As a final step, the attackers also made screenshots of the compromised desktops. For the small resistance it put up in the two scenarios, Microsoft still received 2.5 out of 8 points. Overall, Microsoft's protection score ended up at 34.5 out of 40 points.

The security product from VMware reached a final protection score of 32 out of a possible 40 points. The reason is simple: In 2 instances, the solution was able to neither detect nor stop the data stealers.

With its Endpoint Security, Seqrite ended up at the bottom of the ranking with 31 out of 40 points. In one case, the protection did not detect the attacker, and its was able to freely go about its business. In two other instances, the attacker was identified, but only partially slowed down. In the end, the data was in fact assembled and transferred to the C2 server.

As authentic as everyday attacks

In the 10 scenarios used in the test, attacks are deployed the way they occur daily when it comes to consumer users or corporate users of every size. Of all things, the theft of data and the threatened disclosure in case of non-payment of ransom is a typical scenario for a vast number of attacks these days. What’s more, the data stealer samples used in the test are currently wreaking havoc the world around. Shortly prior to the test, the lab collected them on the Internet and by means of honeypots and classified them.

While not all products delivered a perfect result, it is encouraging to note the extremely large number that did. Thus, among the products for consumer users, 9 out of 11 products finished the test with the maximum 40 points for their protection score.

Among the products for corporate users, it was 10 out of 13 security solutions that flawlessly plowed the field of the data stealers.

In both user groups, a few products could stand for major improvements. The worst results were 32 and 31 out of a possible 40 points.