Stealer logs are a threat for every company.
Threat actors infect devices with stealer malware, exfiltrate the browser fingerprints & saved logins in the browser, and sell them on dedicated dark web marketplaces for less than $50. Breaches caused by stealer logs can cause hundreds of thousands if not millions of dollars of damage to organizations. Actively detecting devices for sale on specialized infected device markets can significantly reduce your organizations chances of having a major breach.
Flare Director of Marketing Eric Clay and CTO & Co-Founder Mathieu Lavoie talked about how malicious actors continuously improve their operations, especially with spreading malware through the “as a service” model, and how organizations can stay ahead of them.
Check out our full webinar recording, Dissecting the Dark Web Supply Chain, and/or keep reading for the highlights.
Lifecycle of a Stealer Malware Attack
The stealer malware attack lifecycle can differ per strain of malware, but below are the general steps:
- The Malware as a Service (MaaS) vendor sells stealer malware along with associated command and control infrastructure (usually on Illicit Telegram Channels).
- Threat actors purchase the malware, then set up or purchase distribution infrastructure (lookalike domains, email servers, websites providing cracked software).
- Malicious actors distribute stealer malware through malicious advertisements like (spear phishing), social engineering attacks, and more.
- When the victim interacts with the stealer malware attack, it infects the computer, stealing valuable information like browser fingerprints, passwords saved to the browser, crytocurrency logins, and more. It also takes basic information about the host device like operating system, device type, and exfiltrates that back to the command and control (C&C) infrastructure.
- Threat actors and groups sell those infected devices on specialized illicit markets like Genesis & Russian Markets or Telegram channels.
- Other malicious actors can purchase those stealer logs. Sometimes they may purchase them for themselves to receive access to a VPN or streaming subscription service login, which are relatively cheap. In some cases, threat actors specifically search for logs that include access to sensitive corporate environments, so that they can launch an attack themselves or auction at a much higher cost.
- A different threat actor may purchase one of these logs and use it to launch an attack or purchase access to an initial access broker.
What Stealer Malware Takes
What exactly is stealer malware stealing? Below are the potential items:
- operating system version
- the operating or the ISP active session cookies which can be used to bypass two factor authentication
- Multi factor authentication
- IP addresses
- FTP client information
- VPN credentials
- the browser cache sound found at some variants
- geographic location of the device
- browser fingerprints to be used for session hijacking and account compromise
- cryptocurrency wallets
- browser history
- saved credit cards
Some new stealer malware variants can even steal information like the data copied to the clipboard. Most information gets sent back to the command and control infrastructure, but some variants of stealer malware can act as an initial entry point and serve as a vector to bring additional payloads in.
Telegram and Stealer Malware
The Genesis & Russian Markets sell stealer logs/browser fingerprints on dedicated dark and clear web marketplaces. Stealer logs can be found on illicit Telegram channels too, but the method of sale is different. Malicious actors often purchase access to a channel that shares hundreds of thousands of logs (with a guaranteed minimum logs distributed per month). Some channels offer special seats at around $100-200 USD per month to guarantee access to the freshest logs before they’re shown to others.
However, some of these channels offer free access, which can come with hidden costs. The phrase “if it’s free it’s because you’re the product” can ring true in these cases, as the distributed stealer logs can be infected with malware. Therefore, threat actors conduct Telegram fraud by setting up “free” stealer log channels to trap additional victims. For those who are researching such Telegram channels, it’s best to be cautious.
Stealer Log Pricing
Though average stealer logs sell for about $10-30 USD, prices can vary greatly based on a few factors.
The aforementioned prices can increase by five times or more if they include access to healthcare or financial service environments, or specific corporate networks.
If initial access brokers buy these stealer logs at $100-$150 USD, they can multiply that price after expanding and validating the access to
Based on our research, these are the average prices of various infected devices:
- Infected device on Genesis Market: $14.39 USD
- Infected device with access to 100 corporate healthcare logins: $93.91 USD
- Infected device with access to multiple bank accounts: $112 USD
Public health and financial information are two of the most valuable types of information sold illicitly. Stealer logs prices also correspond with this trend.
Want to learn more about Genesis & Russian Markets? Read our report: The Stealer Malware Ecosystem: A Detailed Analysis of How Infected Devices Are Sold and Exploited on the Dark and Clear Web.
How Flare Can Help
Flare monitors Genesis & Russian Markets along with illicit Telegram channels to find high-risk threats before malicious actors can act on them.
Flare’s infected device market monitoring enabled a customer to find an infected device and mitigate risk.
Curious about how Flare can help your organization stay ahead of stealer malware attacks? Request a demo to learn more.