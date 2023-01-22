Successfully reported this slideshow.
Log Stealers - Shopping time for Threat Actors!

Jan. 22, 2023
Log Stealers - Shopping time for Threat Actors!

Jan. 22, 2023
A﻿BSTRACT: Log stealers are a type of malware that steals user credentials from a compromised computer. Criminals deliver stealers through a cracked version of software, causing the user to install them without even realizing it. They can recover usernames and passwords saved in browsers, as well as personal data, cookies, and system information. Logs stolen in this way are then offered for sale in various deep and dark web marketplaces. With our OSINT and CTI platform SATAYO, we monitor any evidence related to our customers to protect and safeguard their business perimeter.

B﻿IO #1: I am Mirko, a Technical Consultant at Würth Phoenix. I work in the Cyber Security Team together with Francesco, but we usually handle different things. I'm mainly part of the Blue Team where I develop procedures, documentation, and features for our SOC. I also analyze multiple interesting pieces of evidence and have a lot of fun :)

B﻿IO #2: I'm Francesco and I'm currently working as a technical consultant at Würth Phoenix with Mirko. Here I mainly develop the Cyber Threat Intelligence platform SATAYO, my "little child" - even if it's not so little anymore - but I also analyze the evidence found and help the customers understand and mitigate them.

Log Stealers - Shopping time for Threat Actors!

  1. 1. Log Stealers Shopping time for Threat Actors! Mirko Ioris & Francesco Pavanello - Cyber Security Technical Consultants
  2. 2. What is a log stealer malware? Log (or information) stealer malware is a type of Trojan that gathers sensitive data from the compromised system and sends it to the attacker. Typical targets are login credentials, credit card information, crypto wallets and browser information (cookies, history, autofill). https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem
  3. 3. Log stealer malware infection chain § YouTube video on stolen account § Websites masquerading as blogs to deliver password-protected archives § Software installation pages to deliver password- protected archives § Phishing emails § Google ADS https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem
  4. 4. Log Stealers
  5. 5. Redline § Available from: February 2020 (on WWH Club and BHF forum) § Owners: Glade aka REDGlade § Telegram channel: https://t.me/REDLINESELLER | https://t.me/redlinesupport_new § Nationality: Russian § Other info: More than 2 Million records on Russian Market § Service cost: from 100$ to 200$ per month
  6. 6. Redline https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904 Redline communication with the C2 server for retrieving configuration and send the stolen data. Other stealers use similar methodologies.
  7. 7. § Available from: 20/05/2019, version 2.0 from 15/09/2022 (on XSS forum) § Owners: @raccoonstealer on XSS forum § Other info: More than 1 Million records on Russian Market § Nationality: Ukrainian § Service cost: 200$ / month § Telegram channel: https://t.me/miaranimator | https://t.me/gr33nl1ght Raccoon
  8. 8. § At least 50 million unique credentials stolen worldwide § FBI disclosure site on https://raccoon.ic3.gov/home Raccoon
  9. 9. Marketplaces
  10. 10. Telegram markets § Independent sellers § Go here https://github.com/fastfire/deepdarkCTI/blob/main/telegram.md and search for 'logs'
  11. 11. 2Easy Market § More than 850.000 records § Paid access § Catalogue: logs only § Log name format: prefix+unique numbers chars (i.e. 2easy_logs_651587.zip) § Deposit available in: Bitcoin BTC, Bitcoincash BCH, Dash DASH, Dogecoin DOGE, Ethereum ETH, Ethereumclassic ETC, Litecoin LTC, Monero XMR, Zcash § Can search for: Seller, Date, Country, Word Available metadata: Links, Seller, Country, Installed Date, Price USD, Seller Rating § Online Support + Telegram chat for updates
  12. 12. Genesis Market § More than 460.000 records § Invitation access § Catalogue: logs only § Deposit available in: Bitcoin BTC, Litecoin LTC, Monero XMR, Dashs § Offers tools like Genesis Security Plugin & Genesium Browser § Log name format: 32 hexadecimal chars (i.e. 7B034E8C77F92627192802CCCE2AB3DD.zip) § Can search for: Bot Name, Name, Domain, IP, Country, OS, Price § Available metadata: Links, Country, # of Resources, # of Browsers, Installed Date, Updated Date, IP (first 2 triplets), OS, Price USD § Online Support `
  13. 13. Russian Market § More than 7.000.000 records § Paid access § Catalogue: logs, RDP access, PayPal accounts, credit cards § Log name format: prefix+unique numbers chars (i.e. LOGID- 5260493.zip) § Deposit available in: Bitcoin BTC, Ethereum ETH, Litecoin LTC § Can search for: stealer, state, ISP, System, City, Outlook, Country, Zip, Links § Available metadata: Links, Stealer, Country, Structure, Installed Date, Size, Vendor, Price USD, Online Support
  14. 14. Log Example Stealers organize logs in a ZIP folder. There is no standard format but usually the following are the information contained:
  15. 15. Log Example Stealers organize logs in a ZIP folder. There is no standard format but usually the following are the information contained:
  16. 16. Log Example Stealers organize logs in a ZIP folder. There is no standard format but usually the following are the information contained:
  17. 17. Log Example Stealers organize logs in a ZIP folder. There is no standard format but usually the following are the information contained:
  18. 18. Log Example Stealers organize logs in a ZIP folder. There is no standard format but usually the following are the information contained:
  19. 19. Market Scraper
  20. 20. Market scraper § A research should be done in OPSEC mode § Online § Keywords based the real domains: wuerth-phoenix.com à rth-ph § A lot of garbage § Offline § Real domains § Evidence of interest § Useful Python libraries and API § Selenium § Pyppeteer & Beautifulsoup § Requests & Beautifulsoup § Undetectedchromedriver § 2Captcha API (charged)
  21. 21. Market scraper § A script divided in 2 phases: § Online § Login & captcha resolution
  22. 22. Market scraper § A script divided in 2 phases: § Online § Login & captcha resolution
  23. 23. Market scraper § A script divided in 2 phases: § Online § Login & captcha resolution § Research using keywords
  24. 24. Market scraper § A script divided in 2 phases: § Online § Login & captcha resolution § Research using keywords § Export of results in JSON format
  25. 25. Market scraper § A script divided in 2 phases: § Online § Login & captcha resolution § Research using keywords § Export of results in JSON format § Offline § Filtering results § Saving evidence on the database
  26. 26. SATAYO integration
  27. 27. SATAYO integration We have developed scrapers able to monitor the 3 major marketplaces (Russian, 2Easy, Genesis).
  28. 28. Evidence Analysis § Compromised system information § Identity of the victim § Credentials found within the log § Optional login test § Mitigation and suggestions
  29. 29. Fun Facts
  30. 30. Traffers analysis Open Shodan and search using this dork: http.html:"stealer"
  31. 31. Traffers analysis Open Shodan and search using this dork: http.html:"stealer"
  32. 32. 2easy analysis Open Shodan and search using this dork: http.html:“2easy.shop"
  33. 33. 2easy analysis Open Shodan and search using this dork: http.html:“2easy.shop"
  34. 34. Contact information § Mirko Ioris § - mirko.ioris@wuerth-phoenix.com § - linkedin.com/in/mirkoioris18 § - @Mikkos § Francesco Pavanello § - francesco.pavanello@wuerth-phoenix.com § - linkedin.com/in/francescopavanello § - @frapava98
  35. 35. Thank you Grazie Danke #WEINNOVATE

