Abstract:

Infostealer malware is constantly gaining more and more cybercriminals' attention, causing more and more losses to users and corporations. A successful infostealer attack can lead to the theft of login credentials, cryptocurrency wallets, multi-factor authentication tokens, web browsing history, and other sensitive data. Many end-user software are trying to address that threat by securing sensitive data at rest. On Windows, they often use the Windows Data Protection API (DPAPI), which encrypts data using the logged-in user's context. However, it also exposes the data to risk when the malware is running in the same user’s context. In this paper, I introduced the basics of DPAPI with some real-life use cases. I analyzed Vidar Stealer, Raccoon Stealer, RedLine Stealer, Aurora Stealer and Lumma Stealer in terms of using DPAPI. I proposed research objectives focused on understanding how the work is done, detecting their activity, and stopping them from working.