November 14, 2024
10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit
Imagine you could gain access to any Fortune 100 company for $10 or less, or even for free. Terrifying thought, isn’t it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that’s basically the state of things today. Welcome to the infostealer garden of low-hanging fruit. Over the last few years, the problem has grown bigger and bigger, and only now are we

Imagine you could gain access to any Fortune 100 company for $10 or less, or even for free. Terrifying thought, isn’t it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that’s basically the state of things today. Welcome to the infostealer garden of low-hanging fruit.

Over the last few years, the problem has grown bigger and bigger, and only now are we slowly learning its full destructive potential. In this article, we will describe how the entire cybercriminal ecosystem operates, the ways various threat actors exploit data originating from it, and most importantly, what you can do about it.

Let’s start with what infostealer malware actually is. As the name suggests, it’s malware that… steals data.

Depending on the specific type, the information it extracts might differ slightly, but most will try to extract the following:

  • Cryptocurrency wallets
  • Bank account information and saved credit card details
  • Saved passwords from various apps
  • Browsing history
  • Cookies from the browser
  • List of downloaded files
  • Information about the operating system used
  • A screenshot of your desktop
  • Documents grabbed from the filesystem
  • Credentials for Telegram and VPN apps
Example of infostealer log package

And more and more stuff, as the malware developers add additional features over time. As you can imagine, you don’t want this kind of information being leaked on the internet for everyone to see. Nor do you want credentials to your organization’s internal systems being compromised in this way. Yet that’s exactly what’s happening each and every day to thousands of users.

You don’t have to be particularly tech-savvy to spread infostealer malware, nor rich to obtain valuable data stolen by other threat actors. Let’s take a look at how the whole ecosystem works.

You, too, can be a cybercriminal!

An ongoing trend on the dark side of the internet is specialization. While in the past, it was more common for one individual or group to take care of the whole process, nowadays the path to your company assets is paved by many different competing threat actors. These actors specialize in just one part of the “industry” and will happily provide their services to anyone willing to pay, in a true free-market spirit.

An example of the “old way” might be the famous Zeus banking malware. It was developed and spread by the same group of people. Stolen data was also exploited by them, and all proceeds from this criminal enterprise went back to them. There was no way for you, a petty cybercriminal, to make money with their results or even buy the malware itself so that you could spread it on your own.

Well, the market evolved. While there are still actors operating completely on their own, the bar for entering the world of stealing other people’s data is much lower. You, even as an individual, can join the ranks of the cybercrime startup industry. The following positions are now open:

Screenshot of desktop included in the above mentioned package

Dropper Implant Developer / Installs Seller

You will be responsible for developing a small yet important piece of software on which the rest of the “industry” often relies: the malware dropper, or loader if you prefer.

While the infostealer malware file itself tends to be rather large because it contains lots of functionality, the malware dropper has only one goal: bypass the antivirus and create a way for other actors to download their own malicious code to the device.

An example of such a dropper might be the Smoke Loader, operating since 2011 and still adding new functionality to this day. Dropper/loader developers either exploit access obtained with their software themselves or resell it through various darknet forums to others, or both. In darknet lingo, an infected computer is known as an “install,” and there are many “installs services” claiming to provide you with a way to spread your own malware (be it infostealers, cryptominers, or other malicious code) through them. Usually, they will assure you that they sell the “install” to your hands only, but from our experience, this is often not the case, as the “installs service” operators will try to monetize it to the max.

InstallsKey dropper service

One such service, InstallsKey, will sell infected (with their own dropper) computers to you for less than a dollar to 10 bucks, depending on the locality. That’s not exactly dirt cheap, but if you know what you are doing, you will get your “investment” back rather quickly.

Infostealer Malware Developer

The engine of the “industry.” You’ll need several years of experience with programming and preferably a good knowledge of how the Windows OS works. Infostealer malware, often loaded through some kind of dropper as described above, extracts all kinds of potentially valuable information and sends a package containing it to the attacker through some form of communication channel.

A non-comprehensive list of commercially available infostealer malware includes:

  • RedLine (outdated, yet still in use by some)
  • META Stealer (updated fork of RedLine)
  • LummaC2
  • Rhadamanthys
  • Vidar
  • Raccoon Stealer (original author arrested, yet still in use)
  • RisePro
  • StealC
  • Monster Stealer

And there are many, many others. Subscription prices range from dozens to lower hundreds of dollars per month.

LummaC2 stealer offering their services on a russian-speaking darknet forum

Usually, you will receive a “builder” application with which you can create an .exe file that suits your needs, often bypassing most common AV solutions (therefore partially covering the functionality droppers provide). Depending on the type, you’ll receive your victim’s data through a web panel (either self-hosted or provided to you) or Telegram.

Cracked version of META stealer available for free

Crypter developer

Bypassing antivirus for the price of a few beers? Not a problem. Crypter developers will allow you to do just that, so you can focus on… well, whatever it is you are up to.

An example of automated crypter service

A crypter is a piece of code that will pack your very evil .exe file in a way that most common AV solutions won’t notice. Both droppers and infostealers sometimes already include some kind of AV bypassing, but a crypter will add an additional layer so you can achieve even more sinister results.

Traffer teams

Spreading infostealers en masse is a difficult task for a lone hacker, so it’s better to team up with other like-minded individuals! That’s what traffer teams (or трафферы) are for. Organizing through forums and (partially automated) Telegram channels/bots, they will provide you with a turnkey solution to infect unsuspecting internet users looking for an Adobe crack or free Fortnite skins. For a percentage of the crypto you manage to steal, they will provide you with everything you need, from an undetectable stealer to a manual on creating fake YouTube tutorials, which are often used for spreading.

Traffer team manager

Are you a people person? Then you might consider a career as a traffer team manager. You’ll just have to glue together a crypter/infostealer malware of your choice and create a friendly Telegram bot to onboard new workers. There’s some competition, so you should work on your PR and possibly give the workers a bigger share of the cake than they’ll get elsewhere. Still, if you manage to convince enough people to work for you, it’s a pretty good deal.

Traffer team operator explaining their conditions on a russian-speaking darknet forum

Traffer team spreader

Perfect entry-level position. If you are willing to learn new stuff and have no moral barriers.

Select the traffer team with best conditions, onboard using the Telegram bot and you are ready to go. Your job will mostly constitute of creating fake YouTube tutorials or scam pages, that’ll convince your victims to download the infostealer malware build provided to you by the traffer team.

Traffer team Telegram bot, providing the “worker” with prepared malicious files used for infostealer spreading

Depending on the team you choose, you might receive up to 90 % of the crypto you manage to steal, and as a bonus, sometimes even the logs themselves (after they are “worked out” for popular monetization methods by your managers). You can either try some other, less usual monetization methods, or just resell them further, or share them for free to obtain respect from your evil peers.

Log Cloud Operator

Obtain logs from public sources and present them as “unique,” “private,” and your own. Profit. That’s how it usually works. Log Cloud is a service that provides you with a stream of more or less “fresh” logs daily (for a fee, of course), usually in the form of a Telegram channel or a continuously updated MEGA.nz storage.

Log cloud channel on Telegram, offering millions of stealer logs collected (mostly) from other semi-public sources

These logs have usually passed through many hands and are “worked out” for the most popular requests, but they may still contain a golden nugget if you know what you are looking for (also known as a “unique request”).

HackedList.io automatically monitors hundreds of Telegram channels. The observed duplicity rate is rather high:

It’s quantity over quality, but there’s strength in quantity too. Some log clouds have accumulated terabytes of data over the years.

url:log:pass reseller

Terabytes of compressed logs means even more terabytes of raw material. And if the only thing you are looking for is a pair of usernames and passwords for that specific site you want to obtain access to, you don’t even need the whole log package. So a separate segment of the “market” evolved: resellers of .txt files in the format of URL:login:password, created out of the standard log packages. Instead of terabytes, it’s just gigabytes now and you can easily search through it with standard utilities like grep.

An example of url:log:pass service advertisement

Otherwise, url:log:pass resellers operate exactly the same way as log cloud operators, except they have to store and deal with less data. Other services, in the form of both websites and Telegram bots exist, that allow you to search through them, so you don’t even have to know how to use grep or where to obtain this kind of logs.

Automated url:log:pass reseller bot on Telegram

Automated Market Operator

Want truly unique and private logs? Visit an automated log market website! It’ll be much more expensive (yes, the log cloud offers are too good to be true), but you have a chance to be the first one (well, second or third, but that’s still fair) to have that log.

Russian Market, currently the biggest automated darknet marketplace where you can obtain infostealer logs

For $10 or less, threat actors can obtain all kinds of accesses on such platforms, with the added benefit that such a log will be exclusively theirs, at least for some time. In the past, there were three major marketplaces operating simultaneously. After Genesis.Market was taken down in an international law enforcement operation, and 2Easy marketplace development was abandoned, there’s just one major player left: the infamous Russian Market. As of today (13-07-2024), it has 7,266,780 records available for sale, and an unknown but surely large number of logs have already been sold on the platform.

Initial Access Broker

Looking for valid and valuable information in the terabytes of data available through log clouds or automated marketplaces is like looking for a needle in a haystack. But if you manage to find it, it can score you a big sum of money. That’s where initial access brokers step in. They look for (still) valid credentials obtained by infostealer infections and use them to establish footholds in compromised networks. Then, they sell these to anyone willing to pay, often to threat actors like ransomware gangs.

Here’s an example from a well-known darknet forum:

A quick check on HackedList.io reveals that the OWA access most probably originates from an infostealer breach:

Opportunistic Script-Kiddie

There are ransomware gangs, APTs, skilled initial access brokers, and then, of course, there are script-kiddies: the bored youth looking for quick cash or just ways to wreak havoc on the internet.

Publicly (or for a low price) available data from infostealer infections provide them with a great tool to cause lots of damage with little knowledge. You don’t have to know any programming because somebody else already wrote the stealer. You don’t have to know how to spread it because somebody else already did. You don’t even have to manually try the obtained credentials to verify if they work because, yes, you guessed it, somebody else already created a tool to do it for you. So you just pick the low-hanging fruit and cause damage.

An example of tool used to check validity of credentials included in infostealer logs

And no, we are not talking about overtaking Minecraft or Discord servers. LAPSUS$, a hacker group of teenagers aged 16 to 21, managed to steal 780 gigabytes of data from the video game publishing giant Electronic Arts. The same group was behind the Uber hack, where they gained access through a compromised account of an external contractor. In both cases, the root cause was an infostealer infection.

Summary

To sum it up, here’s a fancy diagram:

HackedList.io focuses on all kinds of log dealers and darknet marketplaces and can alert you before the bad guys labeled as attackers in the infographics above can take advantage.

How big the problem actually is and what can you do?

Here are some statistics:

  • we have detected 45,758,943 infected devices in total, of which 15,801,893 had at least one set of credentials included in the leak, over the last 4 years
  • in total, we have identified 553,066,255 URL/username/password combinations
  • we have detected infected devices in 183 countries
  • on average, we identify more than 10000 new victims each day
(bump in February caused by finding a huge leak of older data)

The bad news is, that with such high infection rate, there’s a big probability that your organization was already compromised – the bigger your organization is, the bigger the probability.

The good news is, that you can check for free if it happens – just enter your domain on HackedList.io. And if you want to stay protected, we have a solution for that.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.