How many credentials do you have saved in your browser? How many form fills? How many credit cards? These may seem like innocuous questions, but the advent of infostealer malware makes them all too relevant. Infostealer variants such as RedLine, Raccoon, and Vidar infect computers and steal the browser fingerprint, which contains all of the saved passwords in the browser along with form fill data.
There is a tendency to focus on the password in this context, after all passwords are the linchpin of a great deal of modern security architecture. But passwords are only a small part of the data that threat actors gain from a stealer log. For many individuals, the information saved in their browser is a roadmap to their life, with all of the information a threat actor needs for highly sophisticated social engineering attacks.
For this reason, stealer logs are likely one of the top vectors threat actors use for ransomware and other attacks against corporate environments. Thousands of individual browser fingerprints are harvested. These “logs” are then packaged together and distributed on Telegram. This report will examine stealer logs and their use in cyberattacks against enterprise organizations.
This Flare report was inspired by the recent attacks against corporate SSO applications. We rate it as highly likely that much of the increase in attacks targeting corporate SSO environments is in part being driven by the underlying growth in infostealers with corporate credentials. There is compelling evidence that threat actors are both using stealer logs to gain initial access to corporate environments for ransomware attacks, initial access broker listings, and more.
- Flare’s research team identified 312,855 corporate SSO credentials in stealer logs distributed on dark web markets & public and private Telegram channels.
- Stealer logs can be extremely valuable for both financial crime and cybercrime targeting organizations. Credentials sets saved within stealer logs enable threat actors to gain enormous insight into particular targets in addition to revealing common password patterns.
- Infostealer malware can be purchased for as cheap as $100 per month complete with command and control infrastructure on Telegram channels, creating a low barrier of entry for threat actors.
- Infostealer malware panels such as RedLine automatically parse logs and call out high-value credentials such as banking and financial services applications.
- SSO applications and the proliferation of stealer logs create a strikingly high-risk single point of failure. Threat actors are only one 2FA token away from total access to a corporate environment.
- We rate it as highly likely that many of the recent attacks against SSO environments have leveraged stealer logs for at least part of the attack.
Defining Infostealer Malware
Typically, infostealer malware infects computers, extracts credentials, auto-fill data, and active session cookies from the browser, and then self terminates leaving little to no trace that the device was ever infected. This data is then packaged into a “stealer log,” which is then itself combined with thousands of other stealer logs into files shared on cybercrime Telegram channels and Russian Market. This poses dramatically increased risk to corporations compared with “traditional leaked credentials” for a number of reasons to include:
- Stealer logs often contain active session cookies allowing threat actors to bypass 2FA and MFA controls
- Stealer logs contain dozens or even hundreds of credentials, providing a wide “attack space” for actors to utilize
- Log files often contain corporate credentials to SSO applications, CRMs, cloud environments, and other critical corporate SaaS applications
- Most stealer malware self terminates after a successful infection, increasing the difficulty of detection and device identification
Infostealer malware often infects personal computers which don’t hold corporate files but do have saved credentials to corporate cloud environments, making detection even harder. Additionally the information found on personal computers can aid threat actors in impersonating the user for future attacks, as many users save secret questions and other data as form fills in the browser.
Most threat actors are not highly sophisticated entities looking to identify 0-day exploits, they are instead low-level cybercriminals looking for the highest return on investment pathway possible. Finding infostealer logs with corporate credentials on public Telegram channels represents a low-risk, low-cost method for gaining access to sensitive IT infrastructure.
Example of a single stealer log file that has been distributed on Telegram, containing a browser fingerprint and associated information
Stealer Logs, Single Sign On Applications, and the Dangers of Browser Form Fills
SSO applications have become a corporate information security mainstay in recent years. Corporate single sign-on applications provide considerable advantages to security teams by centralizing authentication, enabling the organization to mandate MFA, improving compliance initiatives, and creating a centralized method for monitoring application access.
Unfortunately, SSO applications also create a single point of failure for an organization’s security posture. For this project, Flare searched for five common corporate SSO providers against more than 22 million stealer logs and identified over 312,855 corporate SSO application domains present. Even if the session cookies are expired, this still represents an enormous risk. We can break the risk down into three parts:
- Stealer logs may contain credentials and active session cookies for an SSO application, enabling a threat actor to log-in directly
- Even when the session cookies are invalid or expired, stealer logs contain “auto form fill data” providing actors with employee names, addresses, answers to security questions, credit card information, and other data that could be used to social engineer 2FA and MFA codes out of help desk employees
- Stealer logs contain enormous amounts of personal information about employees that could be used as leverage such as credentials to adult content websites, banking, social media, and more
In some recent attacks against organizations using SSO applications, it appears that the threat actors already had the credentials to the SSO application, making social engineering attacks dramatically easier. It’s worth pausing for a moment and exploring the enormous social engineering opportunity that a stealer log represents for threat actors. For individuals that save credentials and form fill data in their browsers, an average stealer log may provide a threat actor with:
- Their name, address, social security number, and credit card numbers
- Saved answers to secret questions such as their pets’ names, the street they grew up on, favorite foods
- All of the domains that credentials are saved for; this can allow threat actors to ascertain highly personal information such as the school their kids go to, the airlines the individual takes, and other highly personal information that can be inferred from saved credentials
- Dozens to hundreds of examples of passwords that the individual uses, enabling threat actors to ascertain patterns in the victims passwords
Stealer Log Distribution, Panels, and the Infostealer Ecosystem
An entire ecosystem exists around stealer malware, largely on the social media and messaging application Telegram. Threat actors can easily purchase RedLine malware & infrastructure through automated Telegram applications using cryptocurrency. Typically licenses are sold on a monthly or lifetime basis.
Once threat actors purchase a license, they are also granted access to dedicated command and control infrastructure which can be used to communicate with the malware panel and the infected devices. Infostealer panels are particularly interesting and also showcases just how far cybercriminals have come in commoditizing logs.
To the right is an example of the panel of RedLine malware. The left hand column provides the date of the data extraction. The most interesting aspect is the far right column, where it appears that the panel automatically parses credentials from stealer logs to notify the threat actor of specific high-value credentials which can be exploited for financial gain.
Example of the Redline Panel
Once logs have been sorted, they are typically distributed across three primary sources. Many stealer logs are posted directly to public Telegram channels where they can be easily found by any Telegram user. Stealer logs that are posted directly in public Telegram channels usually serve as “advertisements” for the threat actors “private” (read paid) channels.
Stealer log advertisement on Telegram
Private stealer logs channels are invite only and usually monetized on a month-tio-month basis. Typically, channel administrators limit the number of users in a private channel to 10-20 and promise a set number of “fresh” logs that will be posted to the channel on a weekly basis.
Raccoon malware panel (note they even have “beta” features)
In Flare’s previous analysis, we found that logs containing corporate credentials were disproportionately posted into private Telegram channels, indicating that actors may be intentionally funneling the highest value logs directly into private channels.
We’ve also found considerable evidence of dark web threat actors known as initial access brokers (IABs) purchasing bulk logs, likely to utilize the access provided to compromise corporate IT environments. We rate it as highly likely that both IABs and ransomware groups are directly using logs with corporate access to gain privileged IT infrastructure access to corporate environments.
Stealer logs represent more than just packaged credentials and session cookies for individual users. Many stealer logs contain all of the information needed to launch incredibly sophisticated and detailed social engineering attacks. Individuals live their lives online, and as a result save enormous amounts of personal information to their browsers which can present an incredible opportunity to threat actors looking for easy ways to gain access to corporate IT environments.
Organizations have typically focused on strengthening their internal security measures, but the growing use of SSO applications concentrates risk at a few single points of failure that can represent an existential threat to a corporate information technology environment. Leveraging external monitoring to identify corporate credentials in stealer logs is going to be increasingly necessary for any kind of effective security posture.