What is a Stealer Log?
The term “stealer log” refers to a type of malware that is designed to steal information from a computer or device. This information can include login credentials, passwords, financial information, and more. Stealers can be spread through pirated software, malicious websites, and other methods. Some Stealer logs are offered through Dark Web Malware-as-a-Service business models, some stealer log data is published by ransomware gangs like RansomEXX. In this blog post we will cover the stealers Redline, Racoon, and Vidar and give valuable tips on how to protect yourself from Stealer Logs.
How Stealer Logs Spread
At least 3 dangerous Stealer Logs are currently infiltrating computers through various methods. Typically Stealer Logs are spreading through phishing like attacks, in which the victim is tricked into visiting a malicious website or installing a program. However, they can also beincluded within unauthorized applications, such as pirated software. Stealer Logs can also be spread through sophisticated spyware, such as Flame, which has been found in various countries in the Middle East and Africa. Flame is a highly sophisticated piece of malware that was discovered in 2012. It is believed to be part of a state-sponsored cyber espionage campaign that targeted countries in the Middle East, particularly Iran, and potentially other countries in Africa and the Middle East as well. It is thought to be used for intelligence gathering, particularly on Iran’s nuclear program. The malware is notable for its large size (20 megabytes) and its use of multiple encryption methods and an SQLite database to store structured information. It is believed to have been jointly developed by the United States and Israel as a means of preparing for digital espionage against Iran.
Clouds of logs: Malware-as-a-Service (MaaS) and Stealer Logs
The concept of stealer logs is at least two decades old. What’s new is to provide stealer logs as a service in a cloud of logs in the underground dark web markets. You may have heard of the Software-as-a-Service (SaaS) business model, in which clients are provided with access to an online platform and technical support. Some Stealer Logs are offered as Malware-as-a-Service (MaaS), an illegal version of SaaS, in which malware is leased to individuals or organizations for the purpose of conducting cyber attacks. These attacks are often automated and delivered through the use of a botnet, which is a network of compromised computers that can be controlled remotely. The MaaS market can be broken down into three actors:
- developers of malware
- sellers of malware
- and buyers of malware.
It is often used by individuals or organizations who do not have the technical skills or resources to develop and disseminate malware on their own., similar to criminal Ransomware-as-a-Service (RaaS) business models in which buyers pay to launch ransomware attacks developed by operators.
What is Racoon Stealer Log malware?
Racoon Stealer is one of the 3 dangerous stealer logs that are currently threatening your security. It is a password-stealing malware that was first observed in 2019. It is advertised as a Malware-as-a-Service (MaaS) on various cybercriminal forums, and is known to target victim credentials and cryptocurrency wallets. Raccoon Stealer is favored by some threat actors due to its simplicity, and is often distributed under the guise of cracked software. When a victim’s computer is infected with Raccoon Stealer, the malware collects information such as login credentials and cryptocurrency wallet information and sends it to a command and control server. The developers of Raccoon Stealer provide an admin panel to subscribers, which allows them to view and download the stolen information (logs). Raccoon Stealer was temporarily shut down in March 2022 when its operators claimed that one of the lead developers was killed during Russia’s invasion of Ukraine, but it has since resumed operations with a new version.
What is Vidar Stealer Log malware?
Vidar Stealer is similar to Racoon a malware that is used to steal sensitive data from a victim’s computer and the second of 3 dangerous stealer logs of our list, including banking information, saved passwords, IP addresses, and other personal information. It can infect a computer through various methods such as phishing and hiding inside a file. The stolen information is either sold or distributed for free on various underground forums and marketplaces, including Russian Market. Vidar Stealer has been observed being offered for sale as a log credential stealer on underground forums since December 2020. It is believed to be a clone of the Vidar Stealer malware, which was first identified in 2018. Vidar is a malicious software that is used to steal information from a victim’s computer such as system information, browser data, user credentials, and cryptocurrency wallets. It is typically spread through campaigns using exploit kits and Vidar Stealer Log is often sold as malware-as-a-service on underground forums. Vidar is considered to be a high-risk malware and can cause significant damage to a victim’s computer.
What is RedLine Stealer malware?
RedLine Stealer can infect systems through hidden files and is the third of 3 dangerous stealer logs we’re covering today. Once it has infected a system, RedLine Stealer can collect login credentials, autofill data, cookies, and credit card details from browsers. It can also steal information from cryptocurrency wallets and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. Additionally, RedLine Stealer gathers data about the infected machine, such as running processes, antivirus software, and system information. This information can then be sold or distributed by cybercriminals to other parties.
What is Russian Market on the Dark Web?
Russian Market is a website that operates on the dark web and can be classified as a stealer logs market place. It specializes in the trade of stolen information, such as credit card information, RDP and SSH access, Paypal information, and logs of stolen account data generated by the 3 dangerous stealer logs for various sites. It offers a variety of goods and services, including drugs, weapons, gadgets, services, weed, cc dumps, documents, and hacking and cracking tools. It is available in English, and its target audience is not necessarily limited to Russian residents.
What is RansomEXX?
RansomEXX is a ransomware gang that has been active since its discovery. It targets both Windows and Linux systems and is known for publishing stolen data of victims who do not pay the ransom on its leak site. RansomEXX has been responsible for several high-profile attacks, including the Bombardier breach in August 2020 where 30GB of data was released, and the attack on Taiwanese motherboard manufacturer Gigabyte in December 2020. In addition, a variant of RansomEXX written in the Rust programming language has been circulating in the wild. The group is known for leaving a ransom note on the victim’s machine and disabling file recovery and system restore after successfully encrypting the victim’s files.
How to protect yourself against Stealer Logs
- use a firewall on your device
- never store passwords in your keychain or the browser, use a self hosted password manager,
- have an up to date malware scanner
- when browsing the web, use private browsing sessions only
- be cautious when browsing the internet, particularly when visiting unfamiliar websites (i.e. by avoiding suspicious links and emails)
- when using online banking or other sites that handle very confidential data, do not have another browser tab or browser window open at the same time.
- keeping your devices and software up to date with the latest security patches
- businesses need to have an adequate Mobile Device Management (MDM) in place to implement and enforce policies and best practices for the use of mobile devices such as smartphones, tablets, and laptops within an organization. Contact Us for solutions!
- as new threats and better stealer logs will be made available on the dark web, we strongly recommend to sign up for our continuous Dark Web Scans to be notified when important information is leaked.
It is also recommended to report suspicious websites to the appropriate authorities.
This is the first part of our blog on stealer logs. Part 1 is about 3 dangerous stealer logs. In part 2 we will cover why it is important to be economical with cookies in hindsight of the threat of Stealer Logs.