Nearly a month ago, I gave a talk at the HelSec meetup. This was my second time giving a talk, and whoever gives 2 or more talks at the HelSec receives a title of a Legend. Pretty cool and nice. It’s been a long while since I attended the meetup, and it was very pleasant to catch up with old friends. Oh, and I met a few new folks!
The talk was about information stealing malware, where I briefly went over some related topics:
- What are infostealers and what kind of information they exfiltrate from infected victims.
- The malware distribution methods.
- Malware-as-a-Service model
- Monetization of stolen information (usually referred to as malware/stealer logs)
- Talked about Telegram channels and “Logs Clouds”
- Dedicated marketplaces, such as Genesis Market (rip), 2Easy Shop and Russian Market.
- Spent more time on the Russian Market. Well, my go to would Genesis, but it has stopped operating due to the infra takedown by law enforcement agencies. On 18th January 2024, I checked the numbers of victims and associated infostealers on the Russian Market:
- Raccoon: 3,769,772
- Vidar: 2,135,862
- RedLine: 1,812,314
- Lumma: 1,446,518
- RisePro: 225,766
- StealC: 60,337
- Silencer: 45,207
- Spent more time on the Russian Market. Well, my go to would Genesis, but it has stopped operating due to the infra takedown by law enforcement agencies. On 18th January 2024, I checked the numbers of victims and associated infostealers on the Russian Market:
Now this is interesting and such, but decided to make the talk better, I can download malware logs and try to crunch some data. For this, I purchased a cheap-ish VPS and got to downloading.
Initially, when I was thinking about the organization of the talk, I thought about downloading malware logs dumped in 2023 on Telegram channels. Few milliseconds later, realized that it’ll not be possible because the meetup date was approaching quickly, and I wouldn’t have enough time to even download that much data. Moreover, I would need a much more powerful machine. Next, thought, maybe I can just consider the last quarter of the 2023. However, realized that it’ll not be possible for the same reasons as above. I settled on downloading malware logs that were dumped in the December 2023.
I started downloading malware logs from two Telegram channels, which aggregate logs from other channels. Overall, were downloaded 900 GBs of compressed data, which amounted to over 600K infostealer logs. Next, collected some keywords and wrote a few lines of ugly bash script to go through the data.
Overall, a number of unique email addresses was a bit over 3,5 millions. Here’s the breakdown of the TOP-10 email domain names:
Domain | Occurrence |
---|---|
gmail.com | 2,054,915 |
hotmail.com | 286,585 |
outlook.com | 114,942 |
yahoo.com | 113,615 |
icloud.com | 31,146 |
mail.ru | 12,549 |
live.com | 8,248 |
yopmail.com | 7,729 |
outlook.fr | 7,103 |
gamil.com | 7,074 |
Funnily enough, there were “gamil.com”, which are clearly typos by people 🙂
Now I required some more ideas what to search in the data, because initial idea was to look only on compromised credentials of Helsinki Exchange companies in malware logs.
How many compromised logins to cybercriminal forums/marketplaces there would be? As keywords gathered over 200 such forums and marketplaces and run through the data:
- Over 50K logins (20K+ unique)
- Most popular forums:
- nulled.to
- cracked.io
- cracking.org
- blackhatworld.com
- hackforums.net
Since AI is all the rage now, checked if there are any credentials to OpenAI, ClaudeAI, Mistral, LemonFox. Turns out over 66K OpenAI credentials, and no findings for others.
Some more meaningless data crunching in search of compromised accounts:
- DevOps platforms: 143,163
- Internet registries: 780
- Password managers: 2,730
Then I looked whether anything can be found related to the Finnish governmental entities/agencies. The keywords used for this round were domain names and emails (for example, @gov.fi). This was done in order for me to quickly distinguish if the infected victim just a (potentially) end user or gov agency email address holder. Nothing was found based on email keywords. Only 53 login credentials of end users were compromised to gov entities (THL, stat.fi, csc.fi, Migri, Prh, etc.).
And finally, something that took the most time, checking the Helsinki Stock Exchange companies, about 140 of them. As with the governmental entities, I used domain names and emails as keywords. 11 Companies had findings based on company emails, which means employees’ devices were infected, or they used an infected device to login. And 40 Companies had findings based on domain names, meaning end-users. I abstained from naming any companies 🙂
Generally, I was satisfied with my talk. Of course, I could have done more and better, but, you know, I am a person of “good enough” attitude. I noticed quite a few smiling faces in the audience, I suppose my silly jokes and presentation were entertaining. In addition, after the talk, received some positive feedback and interest in the topic from the folks.