The cybercrime ecosystem has been rapidly evolving during the first seven months of 2023, with an increase in ransomware data exfiltration attacks, stealer log distribution, and new exploits targeting organizations. Stealer logs, a key component of this ecosystem, play a significant role in enabling financial fraud, account takeover attacks, ransomware distribution, and data breaches against organizations.
Stealer logs are a product of infostealer malware, a form of remote access trojan (RAT) that infects victim computers and exfiltrates sensitive information stored in web browsers. This includes credentials, session cookies, credit card information, cryptocurrency wallet data, and other valuable data. The logs are then either used or distributed to other cybercriminals, serving as an initial vector for cybercrimes.
Malware as a service (MaaS) vendors play a significant role in the distribution and refinement of infostealer malware. These vendors continuously develop new variants of the malware and sell them in specialized Telegram channels. The most common variants seen today are RedLine, Vidar, and Raccoon. MaaS vendors often package their malware in monthly subscription packages that can be easily purchased with cryptocurrency. These packages come with command and control infrastructure and a backend system that allows for the management of large quantities of stealer logs.
Distributing infostealer malware takes various forms, including adding payloads to cracked software, phishing emails, malvertising, and advertising free video game currency. The distribution is often done in a “spray and pray” fashion, with minimal targeting. Once the malware infects a system, the stolen data is exfiltrated to the malware’s backend infrastructure as stealer logs.
In the past, stealer logs were primarily distributed through dark web online stores like Genesis Market and Russian Market. However, there has been a shift towards using the messaging platform Telegram for distribution. Currently, more than 70% of stealer logs are distributed through Telegram channels. Threat actor groups create channels, also known as “clouds,” where they sell access to freshly gathered stealer logs for a subscription fee. Additionally, they have public channels where they share samples of what potential buyers can expect from their “private” channels. Thousands of stealer logs are distributed daily on Telegram across hundreds of channels.
Stealer logs are also used as a primary vector of initial access by initial access brokers (IAB) operating on dark web forums. These IABs sell access to company networks and IT infrastructure, auctioning off the access on these forums. Ransomware affiliates often find value in such access as an easy entry point for their attacks.
Stealer logs pose a threat to both consumers and organizations. Consumers are at risk of financial fraud, cryptocurrency theft, and unauthorized access to their accounts. Surprisingly, a significant number of stealer logs also contain credentials to commonly used corporate applications, including single-sign-on portals, cloud environments, and other high-value applications.
To counter the threat posed by stealer logs, companies like Flare offer detection and remediation solutions. Flare automates the detection of corporate credentials across millions of stealer logs, providing high-value alerting to security teams. Their SaaS platform helps detect leading threats that can lead to ransomware attacks, data breaches, and other cybercrimes affecting organizations.
In conclusion, the rapid evolution of the cybercrime ecosystem in 2023 has seen an increase in stealer log distribution and its role in facilitating various cybercrimes. Stealer logs are a dangerous asset for both consumers and organizations, containing sensitive information that can be used for financial fraud and unauthorized access. Detection and remediation solutions like Flare play a crucial role in mitigating the risks associated with these stealer logs.