Threat Spotlight: Stealer Logs & Corporate Access

A navy background with the white text in all caps "Stealer Logs & Corporate Access."

Executive Overview

Over the last three years, infostealer malware variants have become a “popular trend” in the cybercriminal Malware-as-a-Service (MaaS) ecosystem. Doing precisely as their category implies, these malware variants steal information from users’ devices. After infecting the device, the malware employs various techniques to remain undetected while sending data to the malicious actors’ command and control infrastructure. 

To understand the threat infostealer malware poses, we examined more than 19.6 million stealer logs to identify trends like:

  • Number of infections containing corporate credentials
  • Average price of infostealers with banking access
  • Prominent consumer applications appearing in the logs 

Read our full report, Stealer Logs & Corporate Access, or continue reading for the highlights. 

The Details

Analyzing more than 19.6 million stealer logs showed trends that indicate malicious actors value access to corporate resources and financial services accounts. Based on the findings, malicious actors appear to use infostealer malware so that they don’t have to purchase a consumer application subscription or so they can steal money by compromising a bank account. 

At a high level, the research found the following about stealer logs:

  • 376,107 (1.91%): access to corporate SaaS applications
  • 48,173:  access to a resource that includes a single sign on credential representing almost certain access to corporate resources
  • 200,000 (1%): access to leading AI provider credentials

(Note, these are from users of the applications being compromised with infostealer malware. We have no reason to believe that these organizations themselves have suffered a security incident or breach) 

Meanwhile, looking at infostealer logs through the eyes of the consumer, the data shows:

  • $112: average cost of financial services-related logs compared to $15 across all log sales

We collected data from four primary sources:

  • Public Telegram “logs” channels: “free samples” of primarily consumer application access logs used to advertise the paid Telegram rooms
  • Private Telegram channels: invitation-only, paid channels with higher-value logs
  • Russian Market: Dark web marketplace that specializes in selling access
  • Genesis Market: structured, parse log data and cloning interface that is available on the Tor network

As part of the research, we focused on three key categories of infostealer log data, each representing a different threat to organizational information security. 

Corporate IT and Business Access

We believe malicious actors specifically value this log subset so they can access corporate IT environments. We identified three credential types that represent business resources:

  • Corporate IT infrastructure: Access to corporate IT infrastructure including cloud portals was disproportionately represented in our data set. 
  • Business contract & financial applications: Access to these applications was found overall in 0.4% of stealer logs.
  • CRM and customer data applications: Only 0.03% of logs contained credentials associated with CRM providers. 
Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

Based on the limited data set, we were able to identify a few key findings:

  • If we factor in dozens of common corporate resources, the 1.91% of stealer logs containing corporate SaaS user credentials would likely bring the number well above 2%.
  • Since logs containing corporate access were overrepresented on Russian Market and VIP Telegram channels, attackers likely make specific decisions about whether to target corporations or not. 
  • Public Telegram channels may deliberately post lower-value logs, saving high-value logs for paying customers.
  • Correlating this with additional dark web data, initial access brokers likely use stealer logs as part of a larger money-making scheme. 

Infected Devices and Banking

The infected devices and banking research focused on the stealer logs’ financial value. To perform this analysis, we identified a random selection of 200 financial services organizations that have more than 5,000 employees. We then matched the organization’s primary domains against a sample from Flare’s database of infected devices listed on Genesis Market (88,000 current device listings) from the past two years. Then, we compared prices for logs containing financial services data to those without it. 

We focused our research on the Genesis Market for two specific reasons:

  • It bases the pricing model on the resources that the stealer logs contain, providing insight into how malicious actors value different types of credentials. 
  • It exemplifies the MaaS business model with highly specialized threat actors selling products and services to unsophisticated threat actors so that they can easily deploy malware. 

The data shows that threat actors clearly place a high value on domains with access to financial services credentials: 

  • On the Genesis Market, logs containing financial services logins were listed at an average price of $112.27, compared with $14.31 for those without.
  • Over the past two years, 46 of the sampled 213 financial institutions had employee or customer logins for sale. 

Consumer Applications and Stealer Logs

We analyzed the 50 domains that appear most commonly in stealer logs. While the results included a mix of streaming applications, music, video games, and email accounts, Google, Gmail, Facebook, and Microsoft domains appeared in stealer logs most often. Additionally, almost all of these credentials are for typical consumer applications despite the possibility that some domains could be either corporate or personal, like accounts.google.com.

Research Considerations

When planning and executing the research, we made some important decisions that impacted the outcomes:

  • We did not look for crossover between multiple corporate access domains present in the same log extensively. For example, we didn’t check logs that had access to AWS Console to see if they also had access to a credential for Okta. We did some basic testing and found the crossover to be low enough that we don’t believe it impacts the results substantially. 
  • We only looked at seven specific corporate credentials that might be saved in a browser out of thousands, this limited our data considerably. 
  • Some credentials, such as those for AWS console may be used by students or for personal projects. We believe the vast majority likely indicate corporate access, but some may not. 

How Flare Can Help

Flare’s proactive external cyber threat detection solution uses AI-driven technology to constantly scan the online world, including the clear & dark web and illicit Telegram channels. By monitoring thousands of cybercrime communities, our platform provides data from 14 million stealer logs and 2 million threat actor profiles. 

Since our platform automatically collects, analyzes, structures, and contextualizes dark web data, you gain the high-value intelligence specific to your organization for 10x faster dark web investigations and 95% reduction in data leak incident response costs. 

Start your free trial today to learn more. 

Share This Article

Related Content