10,000 Individuals Every Day: Infostealer Orchard of Easily Accessible Targets

Envision having the ability to breach any Fortune 100 corporation for $10 or less, or even for free. It’s a frightening concept, isn’t it? Or perhaps exhilarating, depending on which side of the cybersecurity fence you stand. This is essentially the current situation. Welcome to the infostealer orchard of easily accessible targets.

Over the previous few years, the issue has grown in magnitude, and only now are we gradually realizing its full capacity for destruction. In this piece, we will elucidate how the whole cybercriminal network functions, the methods through which various threat actors leverage data derived from it, and most crucially, what actions you can take.

Let’s commence with an explanation of what exactly infostealer malware is. As the name implies, it’s malware that… pilfers data.

Depending on the particular variation, the data it appropriates may vary slightly, but most will typically attempt to obtain the following:

• Cryptocurrency wallets
• Details of bank accounts and stored credit card information
• Stored passwords from diverse applications
• Web browsing history
• Cookies from the web browser
• Inventory of downloaded files
• Specifics about the operating system in use
• A snapshot of your desktop
• Documents seized from the filesystem
• Credentials for Telegram and VPN applications

Example of infostealer log package

And more data, as the creators of the malware introduce supplementary features over time. It’s easy to comprehend that you wouldn’t want this type of information out in the open on the internet for all to see. Nor would you desire the credentials to your company’s internal systems compromised in this manner. Yet, this is exactly what transpires daily to thousands of individuals.

You don’t necessarily need to possess advanced technical skills to disseminate infostealer malware, nor do you need great wealth to acquire valuable data that has been pilfered by other malicious actors. Let’s delve into how the entire system operates.

Join the Ranks of Cybercriminals!

An emerging trend in the unscrupulous realm of the web is specialization. While it used to be more common for a single person or group to handle the entire procedure, today the route to your organization’s assets is dotted with various competing threat actors. These actors specialize in just one aspect of the “sector” and are more than willing to provide their services to anyone willing to pay, embodying a true free-market ideology.

An exemplar of the “ancient method” could be the notorious Zeus banking malware. It was concocted and disseminated by the same group. The purloined data was also exploited by them, and all the gains from this illicit operation were funneled back to them. There was no way for you, a minor cyber delinquent, to capitalize on their results or even procure the malware itself to propagate independently.

However, times have changed. Although there are still individuals operating solo, the barrier to entry into the realm of expropriating other individuals’ data is now significantly lower. You, even as an individual, can enter the realm of the cybercrime startup industry. The following roles are presently available:

Screenshot of desktop included in the above mentioned package

Malicious Code Deployment Developer / Distributor

Your role will involve crafting a small but pivotal software component crucial to the entire “sector”: the malware dropper, or if you prefer, the loader.

Whereas the core infostealer malware file tends to be quite large due to its multifaceted functionality, the malware dropper serves a single objective: to evade detection by antivirus software and establish a pathway for other actors to download their own nefarious code onto the device.

An illustration of such a dropper could be Smoke Loader, which has been operational since 2011 and continues to integrate new capabilities. Dropper/loader developers either capitalize on the access obtained through their software or peddle it to others through various darknet forums, or a combination of both. In darknet parlance, an infected computer is referred to as an “install,” and there are numerous “install services” vouching to provide a means for you to disseminate your own malicious code (whether infostealers, cryptominers, or other malicious software) through them. Typically, they claim to reserve the “install” solely for you, yet in our experience, this is frequently not the case, as the operators of the “installs service” endeavor to maximize their profits by all means.

InstallsKey dropper service

One particular service, InstallsKey, will vend contaminated (with their own dropper) computers to you for less than a dollar to 10 bucks, depending on the area. That’s not exactly bargain-priced, but if you know what you are doing, you will recoup your “investment” rapidly.

Infostealer Malware Developer

The motor of the “industry.” You’ll require several years of familiarity with programming and preferably a good understanding of how the Windows OS operates. Infostealer malware, frequently inserted through some type of dropper as elaborated above, extracts all sorts of potentially valuable details and dispatches a bundle comprising it to the attacker through some form of communication channel.

An incomplete list of commercially offered infostealer malware consists of:

• RedLine (outdated, yet still in use by some)
• META Stealer (updated fork of RedLine)
• LummaC2
• Rhadamanthys
• Vidar
• Raccoon Stealer (original author apprehended, yet still in use)
• RisePro
• StealC
• Monster Stealer

And there are numerous others. Subscription costs differ from dozens to lower hundreds of dollars per month.

LummaC2 stealer offering their assistance on a russian-speaking darknet forum

Normally, you will get a “builder” application with which you can produce an .exe file that matches your requirements, frequently sidestepping most familiar AV solutions (thus partially covering the functionality droppers provide). Depending on the type, you’ll receive your victim’s data through a web panel (either self-hosted or provided to you) or Telegram.

Cracked variation of META stealer accessible for free

Crypter developer

Evading antivirus for the cost of a couple of beers? Not an issue. Crypter developers will enable you to do just that, so you can concentrate on… well, whatever it is you are involved in.

An instance of automated crypter service

A crypter is a block of code that will encase your very malicious .exe file in a manner that most prevalent AV solutions won’t detect. Both droppers and infostealers at times already involve some form of AV circumventing, but a crypter will append an extra layer so you can achieve even more malevolent outcomes.

Traffer teams

Spreading infostealers in bulk is a challenging undertaking for a solitary hacker, so it’s better to form an alliance with other like-minded individuals! That’s what traffer teams (or трафферы) are for. Coordinating through forums and (partially automated) Telegram channels/bots, they will furnish you with a comprehensive solution to infect unsuspecting internet users searching for an Adobe crack or complimentary Fortnite skins. For a percentage of the crypto you are able to pilfer, they will equip you with everything you require, from an undetectable stealer to a handbook on creating phony YouTube tutorials, which are frequently employed for dissemination.

Traffer team manager

Are you a sociable individual? Then you might think about a profession as a traffer team manager. You’ll just have to assemble a crypter/infostealer malware of your preference and develop a welcoming Telegram bot to enroll new employees. There’s some rivalry, so you should enhance your public relations and conceivably offer the employees a larger portion of the pie than they’ll acquire elsewhere. Nonetheless, if you are able to convince adequate individuals to work for you, it’s quite a beneficial arrangement.

Traffer team operator explaining their terms on a russian-speaking darknet forum

Trafferworker distributor

Excellent starting job opportunity. If you are open to acquiring new knowledge and have no ethical constraints.

Opt for the carrier group with the most favorable terms, get started through the Telegram bot, and you are good to start. Your main responsibilities will involve generating counterfeit YouTube guides or deceptive websites that will persuade your targets to install the information-stealing malicious software provided by the carrier team.

Telegram bot of the carrier team, presenting the prepared malicious files for distributing the information-stealing malware

Based on your selection of the team, you may be entitled to up to 90% of the cryptocurrency you manage to capture, and occasionally even the logs themselves (once they have been “processed” by your supervisors for popular monetization methods). You can explore alternative and less conventional monetization approaches or resell or distribute them for free to earn respect from your malicious colleagues.

Log Cloud Coordinator

Collect logs from public sources and portray them as “exclusive,” “confidential,” and your own. Profit. That’s typically the standard operation. Log Cloud is a service that supplies you with a flow of more or less “recent” logs daily (at a cost, naturally), usually in the form of a Telegram channel or an incessantly updated MEGA.nz storage.

Telegram channel for Log Cloud, offering numerous stealer logs sourced (mainly) from other semi-public outlets

These logs have typically passed through several hands and have been optimized for the most popular demands, but there might still be some valuable insights if you know what to look for (referred to as a “unique request”).

HackedList.io systematically tracks numerous Telegram channels. The rate of duplication observed is quite substantial:

It’s all about the quantity rather than quality, but having a large volume has its advantage. Some log clouds have amassed vast amounts of data over time.

web:log:pass vendor

With terabytes of compressed logs come even more terabytes of raw content. If all you need are a set of usernames and passwords for that specific site you wish to access, you don’t even require the entire log bundle. Hence, a separate sector of the market has emerged: sellers of .txt files in the form of URL:login:password, crafted from the standard log bundles. Instead of terabytes, it’s now just gigabytes, and you can effortlessly search through it using standard tools like grep.

An advertisement for the web:log:pass service

Functioning much like log cloud coordinators, web:log:pass vendors manage their operations with less data to handle. Other digital platforms, in the form of websites and Telegram bots, are available, allowing you to search through these files without the need for grep or knowledge of where to source such logs.

Automated web:log:pass reseller bot on Telegram

Automated Market Coordinator

Interested in acquiring genuinely unique and confidential logs? Visit an automated log marketplace website! Although it will be more costly (yes, the offers from the log cloud are too appealing), you get the chance to be among the first (well, second or third, but that’s equitable) to receive that specific log.

The largest automated darknet marketplace at the moment is the Russian Market, where infostealer logs can be acquired.

For a price of $10 or lower, malicious actors can acquire various types of accesses on such platforms, with the additional perk that the obtained log will be exclusively theirs, at least for a certain period. Previously, there were three primary marketplaces functioning simultaneously. Following the takedown of Genesis.Market in an international law enforcement operation, and the abandonment of 2Easy marketplace development, only one major player remains: the notorious Russian Market. As of the current date (13-07-2024), there are 7,266,780 records available for purchase, and an unknown but surely substantial number of logs have already been vended on the platform.

Initial Entry Middleman

Scanning for valuable and legitimate information within the vast data realms accessible through log clouds or automated marketplaces resembles trying to find a needle in a haystack. However, if you succeed in locating it, it could result in a substantial monetary gain for you. This is where initial entry middlemen come into play. They search for (still) valid credentials acquired through infostealer infections and utilize them to establish footholds in compromised networks. Subsequently, they sell these to any interested party, frequently to threat actors like ransomware gangs.

Here is an instance from a well-known darknet forum:

A brief examination on HackedList.io suggests that the OWA access probably stems from an infostealer breach:

Opportunistic Script-Kiddie

Among ransomware gangs, APTs, adept initial access brokers, and naturally, script-kiddies can also be found: the unoccupied young individuals seeking quick profits or just avenues to cause chaos on the internet.

Publicly (or affordably) accessible data from infostealer infections offer them a powerful tool to wreak havoc with minimal expertise. There is no requirement to possess programming skills since someone else has already created the stealer. There is no need to know how to disseminate it since someone else has already done so. You don’t even have to manually test the obtained credentials for validity as, indeed, someone else has already devised a tool to accomplish this for you. Therefore, you simply grab the low-hanging fruit and unleash damage.

An illustration of a tool used for verifying the authenticity of credentials contained in infostealer logs

And no, this doesn’t pertain to seizing control of Minecraft or Discord servers. LAPSUS$, an adolescent hacker group aged between 16 to 21, succeeded in pilfering 780 gigabytes of data from the video game publishing giant Electronic Arts. The same group was behind the Uber breach, where they gained entry via a compromised account of an external contractor. In both cases, the primary cause was an infostealer infection.

Summary

In conclusion, here is a sophisticated diagram:

HackedList.io concentrates on various log resellers and darknet marketplaces and can warn you before the malicious individuals denoted as adversaries in the infographics above can exploit the situation.

What is the actual magnitude of the issue and what steps can be taken?

Here are a few statistics:

• We have observed 45,758,943 compromised devices in total, out of which 15,801,893 possessed at least one set of credentials disclosed in the breach, over the past 4 years
• In total, we have come across 553,066,255 URL/username/password permutations
• Compromised devices have been identified in 183 countries
• On average, we discover over 10000 new victims daily

(disruption in February caused by discovering a massive leak of older data)

Regrettably, considering the substantial infection rate, there exists a considerable likelihood that your establishment has already been compromised – the larger the scale of your establishment, the higher the likelihood.

Fortunately, you can verify for no cost if it has occurred – just input your domain on HackedList.io. And if you aim to remain safeguarded, we offer a solution for that.

About Author