ABSTRACT: Log stealers are a type of malware that steals user credentials from a compromised computer. Criminals deliver stealers through a cracked version of software, causing the user to install them without even realizing it. They can recover usernames and passwords saved in browsers, as well as personal data, cookies, and system information. Logs stolen in this way are then offered for sale in various deep and dark web marketplaces. With our OSINT and CTI platform SATAYO, we monitor any evidence related to our customers to protect and safeguard their business perimeter.
BIO #1: I am Mirko, a Technical Consultant at Würth Phoenix. I work in the Cyber Security Team together with Francesco, but we usually handle different things. I'm mainly part of the Blue Team where I develop procedures, documentation, and features for our SOC. I also analyze multiple interesting pieces of evidence and have a lot of fun :)
BIO #2: I'm Francesco and I'm currently working as a technical consultant at Würth Phoenix with Mirko. Here I mainly develop the Cyber Threat Intelligence platform SATAYO, my "little child" - even if it's not so little anymore - but I also analyze the evidence found and help the customers understand and mitigate them.
Handwritten Text Recognition for manuscripts and early printed texts
Log Stealers - Shopping time for Threat Actors!
1. Log Stealers
Shopping time for Threat Actors!
Mirko Ioris & Francesco Pavanello - Cyber Security Technical Consultants
2. What is a log
stealer
malware?
Log (or information)
stealer malware is a type
of Trojan that gathers
sensitive data from the
compromised system and
sends it to the attacker.
Typical targets are login
credentials, credit card
information, crypto
wallets and browser
information (cookies,
history, autofill).
https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem
3. Log stealer malware infection chain
§ YouTube video on stolen account
§ Websites masquerading as blogs to deliver
password-protected archives
§ Software installation pages to deliver password-
protected archives
§ Phishing emails
§ Google ADS
https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem
5. Redline
§ Available from: February 2020
(on WWH Club and BHF forum)
§ Owners: Glade aka REDGlade
§ Telegram channel: https://t.me/REDLINESELLER |
https://t.me/redlinesupport_new
§ Nationality: Russian
§ Other info: More than 2 Million records on Russian
Market
§ Service cost: from 100$ to 200$ per month
7. § Available from: 20/05/2019, version 2.0 from
15/09/2022 (on XSS forum)
§ Owners: @raccoonstealer on XSS forum
§ Other info: More than 1 Million records on Russian Market
§ Nationality: Ukrainian
§ Service cost: 200$ / month
§ Telegram channel: https://t.me/miaranimator |
https://t.me/gr33nl1ght
Raccoon
8. § At least 50 million unique credentials stolen worldwide
§ FBI disclosure site on https://raccoon.ic3.gov/home
Raccoon
20. Market scraper
§ A research should be done in OPSEC mode
§ Online
§ Keywords based the real domains:
wuerth-phoenix.com à rth-ph
§ A lot of garbage
§ Offline
§ Real domains
§ Evidence of interest
§ Useful Python libraries and API
§ Selenium
§ Pyppeteer & Beautifulsoup
§ Requests & Beautifulsoup
§ Undetectedchromedriver
§ 2Captcha API (charged)
21. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution
22. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution
23. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution
§ Research using keywords
24. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution
§ Research using keywords
§ Export of results in JSON format
25. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution
§ Research using keywords
§ Export of results in JSON format
§ Offline
§ Filtering results
§ Saving evidence on the database
27. SATAYO integration
We have developed scrapers able to monitor the 3 major marketplaces (Russian, 2Easy, Genesis).
28. Evidence Analysis
§ Compromised system information
§ Identity of the victim
§ Credentials found within the log
§ Optional login test
§ Mitigation and suggestions