Log stealer malware is a trojan that collects sensitive data from infected systems, including login credentials and financial information. The document details various log stealer tools like Redline and Raccoon, including their origins, market presence, and operational methodologies. Additionally, it provides insights on marketplaces where stolen data is traded and discusses scraping techniques for monitoring these markets.

1. Log Stealers
Shopping time for Threat Actors!
Mirko Ioris & Francesco Pavanello - Cyber Security Technical Consultants

2. What is a log
stealer
malware?
Log (or information)
stealer malware is a type
of Trojan that gathers
sensitive data from the
compromised system and
sends it to the attacker.
Typical targets are login
credentials, credit card
information, crypto
wallets and browser
information (cookies,
history, autofill).
https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem

3. Log stealer malware infection chain
§ YouTube video on stolen account
§ Websites masquerading as blogs to deliver
password-protected archives
§ Software installation pages to deliver password-
protected archives
§ Phishing emails
§ Google ADS
https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem

4. Log Stealers

5. Redline
§ Available from: February 2020
(on WWH Club and BHF forum)
§ Owners: Glade aka REDGlade
§ Telegram channel: https://t.me/REDLINESELLER |
https://t.me/redlinesupport_new
§ Nationality: Russian
§ Other info: More than 2 Million records on Russian
Market
§ Service cost: from 100$ to 200$ per month

6. Redline
https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904
Redline communication with the C2 server for retrieving configuration and send the stolen data.
Other stealers use similar methodologies.

7. § Available from: 20/05/2019, version 2.0 from
15/09/2022 (on XSS forum)
§ Owners: @raccoonstealer on XSS forum
§ Other info: More than 1 Million records on Russian Market
§ Nationality: Ukrainian
§ Service cost: 200$ / month
§ Telegram channel: https://t.me/miaranimator |
https://t.me/gr33nl1ght
Raccoon

8. § At least 50 million unique credentials stolen worldwide
§ FBI disclosure site on https://raccoon.ic3.gov/home
Raccoon

9. Marketplaces

10. Telegram markets
§ Independent sellers
§ Go here https://github.com/fastfire/deepdarkCTI/blob/main/telegram.md and search for 'logs'

11. 2Easy Market
§ More than 850.000 records
§ Paid access
§ Catalogue: logs only
§ Log name format: prefix+unique numbers chars (i.e.
2easy_logs_651587.zip)
§ Deposit available in: Bitcoin BTC, Bitcoincash BCH, Dash DASH,
Dogecoin DOGE, Ethereum ETH, Ethereumclassic ETC, Litecoin
LTC, Monero XMR, Zcash
§ Can search for: Seller, Date, Country, Word Available metadata:
Links, Seller, Country, Installed Date, Price USD, Seller Rating
§ Online Support + Telegram chat for updates

12. Genesis Market
§ More than 460.000 records
§ Invitation access
§ Catalogue: logs only
§ Deposit available in: Bitcoin BTC, Litecoin LTC, Monero XMR,
Dashs
§ Offers tools like Genesis Security Plugin & Genesium Browser
§ Log name format: 32 hexadecimal chars (i.e.
7B034E8C77F92627192802CCCE2AB3DD.zip)
§ Can search for: Bot Name, Name, Domain, IP, Country, OS, Price
§ Available metadata: Links, Country, # of Resources, # of
Browsers, Installed Date, Updated Date, IP (first 2 triplets), OS,
Price USD
§ Online Support
`

13. Russian Market
§ More than 7.000.000 records
§ Paid access
§ Catalogue: logs, RDP access, PayPal accounts, credit cards
§ Log name format: prefix+unique numbers chars (i.e. LOGID-
5260493.zip)
§ Deposit available in: Bitcoin BTC, Ethereum ETH, Litecoin LTC
§ Can search for: stealer, state, ISP, System, City, Outlook,
Country, Zip, Links
§ Available metadata: Links, Stealer, Country, Structure, Installed
Date, Size, Vendor, Price USD, Online Support

14. Log
Example
Stealers organize logs in a ZIP folder. There is
no standard format but usually the following
are the information contained:

15. Log
Example
Stealers organize logs in a ZIP folder. There is
no standard format but usually the following
are the information contained:

16. Log
Example
Stealers organize logs in a ZIP folder. There is
no standard format but usually the following
are the information contained:

17. Log
Example
Stealers organize logs in a ZIP folder. There is
no standard format but usually the following
are the information contained:

18. Log
Example
Stealers organize logs in a ZIP folder. There is
no standard format but usually the following
are the information contained:

19. Market Scraper

20. Market scraper
§ A research should be done in OPSEC mode
§ Online
§ Keywords based the real domains:
wuerth-phoenix.com à rth-ph
§ A lot of garbage
§ Offline
§ Real domains
§ Evidence of interest
§ Useful Python libraries and API
§ Selenium
§ Pyppeteer & Beautifulsoup
§ Requests & Beautifulsoup
§ Undetectedchromedriver
§ 2Captcha API (charged)

21. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution

22. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution

23. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution
§ Research using keywords

24. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution
§ Research using keywords
§ Export of results in JSON format

25. Market scraper
§ A script divided in 2 phases:
§ Online
§ Login & captcha resolution
§ Research using keywords
§ Export of results in JSON format
§ Offline
§ Filtering results
§ Saving evidence on the database

26. SATAYO
integration

27. SATAYO integration
We have developed scrapers able to monitor the 3 major marketplaces (Russian, 2Easy, Genesis).

28. Evidence Analysis
§ Compromised system information
§ Identity of the victim
§ Credentials found within the log
§ Optional login test
§ Mitigation and suggestions

29. Fun Facts

30. Traffers analysis
Open Shodan and search using this dork: http.html:"stealer"

31. Traffers analysis
Open Shodan and search using this dork: http.html:"stealer"

32. 2easy analysis
Open Shodan and search using this dork: http.html:“2easy.shop"

33. 2easy analysis
Open Shodan and search using this dork: http.html:“2easy.shop"

34. Contact information
§ Mirko Ioris
§ - mirko.ioris@wuerth-phoenix.com
§ - linkedin.com/in/mirkoioris18
§ - @Mikkos
§ Francesco Pavanello
§ - francesco.pavanello@wuerth-phoenix.com
§ - linkedin.com/in/francescopavanello
§ - @frapava98

35. Thank you
Grazie Danke
#WEINNOVATE