Infostealers on the Dark Web

Aidan Murphy: Hello and welcome to the last episode of the year of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host as each month we look at a different aspect of the dark web. In this month’s episode, we’re going to look at a specific type of malware, information stealers, which, you guessed it, are...

Aidan Murphy: Hello and welcome to the last episode of the year of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host as each month we look at a different aspect of the dark web. In this month’s episode, we’re going to look at a specific type of malware, information stealers, which, you guessed it, are designed to steal information. Commonly known as infostealers, this malicious software has exploded in use over the last few years. With the 2024 IBM X-Force threat intelligence index reporting a 266% year on year increase in info stealer incidences. This is therefore a threat that more and more people are facing and also one that we have unique insight into through the dark web. Joining me today to explain what infostealers are, how they work and where we can find them on the dark web are two threat intelligence engineers from Searchlight Cyber, Rob Fitzsimons and Joe Honey. Hello to you both.

(TC: 00:01:00) 

Robert Fitzsimons: Hi Aidan, hi everybody.

(TC: 00:01:02) 

Joe Honey: Hi Aidan.

(TC: 00:01:03) 

Aidan Murphy: Before we get started, I’m just going to ask you to introduce yourself to the listeners, Rob can we start with you?

(TC: 00:01:08) 

Robert Fitzsimons: Sure thing. So, I’m Rob Fitzsimons. I am a lead threat intelligence engineer at Searchlight Cyber. I’ve been with the company a little over two and a half years now, helping our enterprise or commercial and government law enforcement customers ultimately get as much value from the dark web as they can and understand what these threat actors are doing to potentially compromise us and gain access to our networks and what we can hopefully to be a little bit more proactive to hopefully prevent these breaches from happening.

(TC: 00:01:40) 

Aidan Murphy: Brilliant, thanks Rob. And Joe.

(TC: 00:01:42) 

Joe Honey: Thanks Aidan. So, hi everybody, I’m Joe, I’m one of the threat intelligence engineers here at Searchlight. I’ve been with the company for about three years now and I, kind of, split my time between helping our customers, mostly on the enterprise side rather than, sort of, Rob’s focus on law enforcement. Mostly on the enterprise side, get the very best from our tools and obviously, minimize and mitigate any cyberattacks. And then also do a fair amount of work, sort of, researching into our data set, looking for interesting things to talk about. New features that we can develop and hopefully add as much value to our customers and to you the listeners, as possible.

(TC: 00:02:15) 

Aidan Murphy: Brilliant, thanks Joe. Okay. Onto the topic infostealers and I’m going to start with you Rob. I don’t know if you remember this, but about two years ago, you were tracking some infostealer trends on the dark web and you sat me down then to explain what an infostealer was, and I’ll be honest with you now, I didn’t fully understand. But I think I understand now and I think you’re the person to explain. So, let’s try again in the most simple terms, can you explain to the listener what an infostealer is?

(TC: 00:02:43) 

Robert Fitzsimons: I do remember that conversation even though it was a couple of years ago now.

(TC: 00:02:47) 

Aidan Murphy: Was it very clear that I didn’t understand? Did I do a good job of pretending?

(TC: 00:02:52) 

Robert Fitzsimons: At the time, fantastic job at pretending.

(TC: 00:02:55) 

Aidan Murphy: Thanks.

(TC: 00:02:55) 

Robert Fitzsimons: So, an information stealer malware, is as the title would suggest, a piece of malware that uses, inevitably, download, generally accidentally, from a source, some site or a file download, it may be from a compromised email, which ultimately installs a piece of malware onto their device. And this is the information stealer. The information stealer is designed to collect information from that compromised device. Which could be anything from personal information to passwords to credentials that you’d use to access any of the areas that you’d visit through your normal browser. They can go as far as collecting things like credit card information, crypto addresses and potentially compromised data from your password managers. Ultimately, all of that data is being hoovered up by this information stealer, packaged up and then exported to a command and control server somewhere, so that the threat actors can list that, utilize it for access or potentially sell it to other vendors on the dark web.

(TC: 00:04:02) 

Aidan Murphy: I think that’s a brilliant description. So, Joe, Rob touched on this a little bit, but typically, how do infostealers get onto people’s devices? Is there, like, one way, or are there a couple of ways? How does the initial infection happen?

(TC: 00:04:15) 

Joe Honey: On a scary point of view, there are so many different ways, unfortunately, that this malware can end up on your computer. One of the interesting things about working in cyber security, as soon as we stop one particular vector for malware, for example, the criminals, they will innovate, they will experiment and they will come up with new ways. That being said, there are, kind of, a couple of trends that we’re seeing around stealers. So, the first is around something called malvertising, or malicious advertising. So, what we’re seeing here is the threat actors, you know, running these malware campaigns, they will create a website that looks very similar to Zoom, for example, is, kind of, quite popular. They will then take out some Google adverts, you know, promoting free Zoom download, click here. They really try and promote that to make these adverts, these malicious websites, look attractive as possible. Once you then, sort of, click onto that website, you will download an .EXE file, or what you think is an .EXE file, to install Zoom. The only problem is, it’ll install Zoom but it’ll also install a few other pieces of software on your computer as well. And typically, this would be, you know, one or more types of infostealer, malware. So, that’s one, kind of, very common sort of way. Software like Zoom, Anydesk, Adobe, any popular software you can see, has often, you know, had Google ads and stuff out there, kind of, promoting malware and stuff.

(TC: 00:05:38) 

Aidan Murphy: And we’re recording this in December, so I guess this is a time when people should be particularly aware of this threat because we all receive tons of advertisement, it can be quite difficult to tell between, you know, what’s a legitimate Black Friday or Cyber Monday deal and what could potentially be malvertising, is that right?

(TC: 00:05:55) 

Joe Honey: Yeah. Absolutely. And I mean, I’ve observed this mostly around, sort of, software based stuff. But this malware can be attached to anything. You know, I recently went shopping for my sons’ Christmas presents at Smyths. They have, sort of, QR codes and things all over the store saying, ‘Scan here and get your free copy of our Christmas catalog.’ You know, who’s to say that QR code is actually a genuine, sort of, Smyths toy store one, or is it actually someone who has snuck that QR code, that link, into an email, into the website, or just gone and stickered over those sort of things in stores. And that’s, kind of, a nice little segue into the second delivery channel for this malware is around email. You know, phishing has been around almost as long as email has been around. We’ve all seen those emails, you know, ‘Click here to download the latest catalog, you need to pay this invoice, hey Rob, can you proof read this document for me?’ You know, odds are, that will contain something that’s malicious as part of that. So, these, sort of, phishing emails are very popular, particularly in a business type setting for delivering malware. And one of the third, sort of, more interesting ways that we’re seeing this malware be delivered at the moment is, funnily enough, by YouTube. So, obviously, people don’t want to pay for software. You know, what’s an Adobe license now for a couple of hundred dollars per year. If not more. If you’re a, you know, a young person or a student you don’t necessarily have that money. So, you’ll go onto the internet, you’ll search, ‘How can I get Adobe Photoshop for free?’ For example.

It will take you for a YouTube video, this YouTube video will talk you through how to hack this version of software so you can get it for free, and it will post a very convenient download link to, ‘Click here to download Adobe with all the restrictions bypassed.’ You click on that. It’s probably 50-50 as to whether you’ll actually get a working version of Adobe or whatever software you’re looking for, but there’s probably quite a high chance that you’re going to pick up something that you don’t particularly want to pick up as well.

(TC: 00:07:45) 

Aidan Murphy: And when this malware is on your system, something that makes it different maybe, from other types of malware, like ransomware which at some point will encrypt your computer and you’ll know it’s there, infostealers, my understanding is they’re almost designed to remain dormant or to look dormant. You’re not meant to find them, you’re not meant to see that they’re running in the background. In fact, the longer they can stay undetected the better, is that right?

(TC: 00:08:08)

Joe Honey: Yes, very much. For, you know, stealer malware to be as effective as possible, it wants to see, get on your machine, start capturing data and then just live there. Because over time, you’re going to go onto more sites. You’re going to create new Bitcoin wallets, you’re going to save new passwords. You know, the longer it can stick around without being detected, the more data it’s going to get out of you, and obviously, the more valuable the log of the output of that malware is, kind of, going to be. Same as any software though, there is variance, you know, there is some stealer malware that will go into your machine, it’ll execute once, steal as much as it can and then it’ll automatically wipe and delete itself and try and cover its tracks. Obviously, if you don’t know your passwords and things have been compromised, it gives the criminals, kind of, a bigger window to use that data before you go and you change your passwords and reset accounts and make their life harder. But yes, there are others that do try and establish that, sort of, persistence and hang around for longer. Rob, did you want to come in on that?

(TC: 00:09:03) 

Robert Fitzsimons: Yes, I was just going to add to that point you made, Joe, like, yes, for the most part, I think there is value in, obviously, evading detection, being persistent and collecting as much data as you can. Because ultimately, the data is that lucrative part, right. That’s what’s pushed out onto the dark web, sold as longs and then finances this threat actor’s activity. You also touched on the point of some of them not hanging around and, sort of, self destruction is a term that’s often used in information stealers and Vidar stealer is one that is particularly prolific for a number of years now, and that has been designed to almost do a, sort of, one-time collection of as much data from that compromised device as it can. Package that up, ex-filtrate it from the network and then self destruct the malware, but also try and remove any activity that is conducted in harvesting that information that is done on the system. Ultimately, the point of that is to remove its tracks but prevent investigations into this activity and ultimately understanding things like indicators of compromise from an analyst’s perspective, which makes it harder to develop capabilities and detection algorithms to be able to understand when this is in your network. So, there’s value on both sides of being, obviously, persistent, which might last for a short period of time but might get you more value in the short-term. Or being a little bit more aggressive and deleting all of your activities so that you can potentially hang around for as long as someone like Vidar has, almost six years or so now.

(TC: 00:10:40) 

Joe Honey: I was going to say, it’s like any crime, you know, the longer you can fly below the radar, the less likely you are to get caught in the end. But even, you know, with these malware that does have that persistence element to it, they’re sneaky with it. They will encrypt their code. They will encrypt, kind of, the network communications. They will potentially, kind of, create their own virtual machines in the case of Rhadamanthys and run on that machine and things like that. They will put in a lot of effort to, kind of, sit and they stay below the radar as well. So, they’re not just installing something and, you know, you look on the start menu of your computer and you just see a new line there for Rhadamanthys stealer. Like, they are sneaky.

(TC: 00:11:16) 

Aidan Murphy: It sounds like some of these strains are incredibly sophisticated and Rob, you just mentioned one that’s been going for six years. I started with the stat from IBM X-Force about the growth in the popularity of infostealers. I guess, I’d be interested in getting, I’ll start with you Rob, maybe you can come in as well on this, Joe, your perspective on what’s behind this trend. Why are people investing this time developing, you know, this malware with these kind of capabilities? Why is it exploding in popularity? Rob, do you want to come in first?

(TC: 00:11:48) 

Robert Fitzsimons: When we look at malware, particularly around information stealers, what we see being referred to quite a lot is Malware-as-a-Service format. Just like ransomware-as-a-Service in the past, it’s massively expanded the ability and the reach of ransomware capabilities. You know, it’s gone from the hands of a few to be able to deploy that capability, to the hands of many. And the same is happening in regards to information stealing. If I develop an information stealer, and I’m trying to deploy it single-handedly, I can only target so many people and ultimately, to try and make as much money from that and make it as profitable as possible, I need to start pushing that out as a service to enable more people to leverage it. And I feel like that’s ultimately what’s happened with the information stealer side of things. It’s become more of a, sort of, commercialized service, if you will, where you receive services for monthly subscriptions or annual, lifetime subscriptions. Which ultimately enable as many people to start accessing information stealer malware as possible at a relatively low price point, a low barrier to entry and something that they don’t necessarily need to manage. They just need to shoot out and potentially monetize.

(TC: 00:13:05) 

Aidan Murphy: Yeah, I think it’s a brilliant point, thank you for bringing up the Malware-as-a-Service perspective, because it was something I wanted to touch on. And I like how you framed it as well, like, we saw ransomware as a service, you know, over a few years becoming the dominant model on the ransomware side, where it still is, pretty much. But this, well, I guess, yes, Malware-as-a-Service for the infostealers follows in its footsteps. So, like, you’re saying for less skilled cyber criminals, you now have access to this malware that is beyond, probably, your capability to develop for yourself, and then on the people who do have the capability, the actual creators of the malware, there are these massive incentives. Because you can now lease your malware to, you know, tens, hundreds of thousands of low level cyber criminals, I put in quotation marks, who can, you get a kick back from. So, it’s a completely scalable business. Joe, is there anything you would add to that, you know, in terms of the popularity of infostealers? Is there anything that you see, kind of, like, underlying this trend?

(TC: 00:14:09) 

Joe Honey: Yes, I mean, you know, stealers aren’t new. You know, the first stealers were seen in the ’90s, you know, the very early stages of the internet when they were just being sent around via email and, obviously, people didn’t really know better at that particular point. But I think, kind of, the two key ones for me in terms of why we’re seeing such a rise in the popularity of stealers is firstly, as Rob said, it’s just around the ease of use. You know, with a couple of clicks, an expert cyber criminal or a five year old, can launch a campaign and start getting decent numbers of logs through. It’s not particularly complex or complicated to deploy. You know, staying undetected for a long period of time is, don’t get me wrong, but if you’ve got a credit card, take out some Google ads and some basic we coding skills, you can create a website and start deploying the malware. So, because of that, it’s so easy to use. So, it’s a very, very low barrier to entry. And it’s, you know, somewhere we see a lot of newer hackers, kind of, more junior both in terms of experience, level of knowledge and time served. It’s quite a common starting point for them to get their way into the criminal ecosystem. Obviously, the other point is it can be, kind of, quite lucrative, you know, it’s not too difficult or expensive to deploy but there was a campaign I was looking at recently, a threat actor was talking about how they were averaging about 700 stealer logs per 1,000, sort of, malware installations. So, essentially, 70% of the time they managed to get their malware deployed they were stealing enough information to collate into a log and then to go out.

Those logs typically are sold between five and ten dollars a pop on, sort of, dark web sites and Telegram channels, that sort of thing. You know, if you can automate that, that’s a lot of volume that you can process with very minimal effort on your part. So, it can be, you know, quite lucrative for some of these hackers. And, you know, if you do your job well and you’re not doing anything too malicious, you’re not deploying ransomware or that kind of thing, you can float below the radar potentially for quite some time, so it is lower risk, for example, compared to trying ransomware. You know, yes, the earnings won’t be in as big a chunks as you might get with a ransomware pay out, but longer term, kind of, lower risk longevity, it might not buy you a house a month but it’ll pay your champagne bill for the month, you know.

(TC: 00:16:28) 

Aidan Murphy: Rob, I can see you’re eager to jump in, but I’m just going to be the definition police and ask a little bit about logs. So, my understanding, and correct me if I’m wrong, Joe, is that logs are, kind of, a collection of data but it’s not specifically defined, like, there’s not a certain type of data that makes up a log, it’s just an accumulation of an individual’s data, whatever they’ve scraped, is that right?

(TC: 00:16:50) 

Joe Honey: Yes. I think so. So, what will typically happen is a piece of malware will install on my laptop, for example. So, it will go through my browser, it will then try and gather as much information as it can, and I describe it to, kind of, customers and particularly less technical, essentially, clones my online life. It saves usernames, passwords, cookies, authentication tokens, Bitcoin wallets, they’re even now dabbling in AI to try and find seed phrases and use optical character recognition to pull information out of pictures and things like that. So, all of that information that it can pick up about me, as much as possible, it will then, kind of, package that into a file, that will get sent to a server somewhere. Quite often we see Discord and Telegram, kind of, handling that, but there’s a lot of specialized infrastructure that comes with the malware to do it as well. And then at one point that will be reviewed. Whether it’s reviewed by a person or just, you know, goes through a data process to vet and review the amount of data there, I don’t know. But once it’s gone, you know, once the decision has been made as to whether I can and should sell this package of individual information or not, they will then put it onto somewhere to sell it, Telegram for example. So, that one package of information, that, kind of, bundle of everything about me is typically termed as a log. So, usually, if I’m describing a log it’s one person’s or one computer’s worth of information being sold for one sort of price. Rob, I don’t know if you’d include anything more or anything different in that one.

(TC: 00:18:19) 

Robert Fitzsimons: So, there was a point Joe made earlier regarding, I mean, we were talking about this trend and how it’s changed over time, we were talking about the lower barrier to entry, the ease of access to it all and as Joe was talking, there was another point which, sort of, came to mind. And it’s around the accessibility of this information and the conversations around it. So, you know, inevitably, as we start to talk about things more, more people become interested in it. And I think, particularly with information stealers, people have started, particularly in the cyber security side of things, we’ve started talking about it more in recent years, which potentially causes, I don’t want to go down a route of cause and effect here, but people inevitably start showing a bit more of an interest in going down that route. The other side of the communication side is that there’s more opportunity for outreach and reaching these potential communities now. Where we’ve looked at, primarily, we look at this activity in the dark web, right, classic Tor, forums, marketplaces where it’s being discussed, listed and sold, we’re also seeing a migration of activity towards Telegram. Places like Masterdon and the Matrix. These areas are all really relatively new technologies. They’re prolifically used by really large communities but are a lot, generally, a lot more accessible than Tor. People have a fear and, sort of, concern about potentially visiting the dark web. So, all of a sudden, if these things are appealing in a Telegram app that they have on their phone, they can hook in, they can start seeing these threads, they can see where these things are and they can start engaging in conversations that way. So, it’s all becoming much more accessible than it ever has been.

(TC: 00:19:58) 

Joe Honey: Just, kind of, building on what Rob said, as well, you know, they’re being talked about. So, they’re being, you know, they’re being popularized, so to speak. But I almost wonder if there’s a bit of a chicken and egg effect, kind of, going on here as well. You know, if you look over, kind of, recent years in cyber security, we’re starting to see a bit of a trend about being a bit more proactive on the cyber security side, you know. Who is going to attack me? When, where, how, why? And obviously, all of the various outputs and stuff become of that. I’m almost wondering if there’s a little part that, you know, we’re starting to talk about it more and see it more because we’re looking for it now. You know, you go back in the ’90s, you got hacked, you didn’t necessarily know where or how, you were just trying to focus on recovery, that sort of thing. You know, you look through the noughties and the tens, it’s all about building great files, EDR, MDR, essentially building bigger, thicker, stronger walls. You know, we’re now at the point where we’ve done that, you know, we’ve got that working as well as it can be, almost, and we’re now looking at ways that our enemies are going to come to wards us, sort of, so to speak. And because of that, we’re seeing more and more evidence of this now. Yes, I don’t think that’s going to account for all of the uptick, that sort of thing, but it’s interesting to wonder, like, how much has been skating below the radar for the last however many years because we don’t know to look for it.

(TC: 00:21:12) 

Aidan Murphy: You’ve actually just touched upon something that I really wanted to talk about. Because the reason I wanted to do an episode on infostealers specifically, I guess, compared to other types of malware is because I think this is something that we have a unique insight into through the dark web. And I know, Rob, you brought up Telegram, Masterdon, Matrix, you know, these other apps that sit outside of the dark web. So, I’m going to put those to one side for now, although I will say that our last episode was on encrypted communication applications, so you can go and listen to those, listener, if you’re interested. But focusing on the dark web specifically, where do we see infostealers on the dark web? What is our insight to them from the data we collect from the dark web? Joe, I’m going to ask you.

(TC: 00:21:56) 

Joe Honey: Unfortunately, you see them all over the dark web and often logs are sold multiple times in multiple places. Generally speaking, kind of, the main source of these logs will be on autoshops and things like that. Because of the volume, because the very easy, like, package nature of a log, you don’t need to answer too many questions. You know, you can look at some headline figures, this country, this number of usernames or passwords, top five or ten sites, for example, that can really easily be sold on an automated fashion. So, for the listener, autoshops are automated market places for digital goods. They’re probably as close to Amazon as you’re going to get, kind of, on the dark web really. You know, you click a couple of buttons, you purchase what you want and it’s delivered. So, yes, so traditionally that has been one of the main places for selling these, sort of, stealer logs. Genesis market is a famous example that was taken down recently by, sort of, law enforcement. Increasingly, as I think Rob mentioned earlier, we’re seeing this, sort of, pivot over to Telegram and we’re seeing a lot of logs being bought and sold and traded, sort of, by Telegram. Occasionally, we might see the occasional high value one pop up on a forum or market but you know, because it’s a really easily packaged good, it’s typically more automated methods of sale. What we have seen from time to time as well is, you know, like any kind of data, particularly credential related data, it does have a bit of a shelf life. If you try to use my passwords from a year ago for example, most of them, if not all of them, would’ve been changed and rotated.

So, when some of these logs do get older and have been around for longer, there are people who will take that, will, kind of, re-package it. You know, they’ll put tens, hundreds, thousands of logs, lines of data, into a spreadsheet and they will then try and re-sell that, obviously for a much lower price as well. So, yes, some people do get, kind of, two bites of the apple, so to speak, in terms of selling these.

(TC: 00:23:52) 

Aidan Murphy: So, that’s one aspect, so the sale of the, basically, the output of the infostealers, so install the infostealer, it steals all this data, the dark web is marketplace where you sell that, like, exactly as Joe describes, either fresh off the print or, kind of, bundled together later. Rob, another aspect from my understanding is that we also see infostealer strains, kind of, discussed in forums and in marketplaces, as in the development of these infostealers, you know, how you go about renting them, for example, and this, kind of, Malware-as-a-Service model. Is that right as well that you can, kind of, follow the trends on what stealer’s in vogue or is the most popular?

(TC: 00:24:35) 

Robert Fitzsimons: Yes, that’s exactly right, Aidan, so, and this becomes really valuable from a security research perspective and trying to understand from a proactive security perspective, what actually is it that we’re looking for and potentially having to mitigate. You know, if you’ve got an enemy coming over the horizon, you have absolutely no idea what they’re bringing, you’ve got no idea what you need to protect against. Whereas, if you know that they’ve got trebuchets, catapults, you know that you need to put up your wall’s defenses a little bit better. By looking into the dark web and using tools like Cerberus, our investigations platform, we can go in and, you know, curate certain search terms and look for something like Rhadamanthys and its improvements or enhancement or updates, features, and key words that you would generally associate with software development. And you can start to identify conversations from individuals showing interest around it, through to the developers of these information stealer malware. You can start to understand what is coming, what they’re looking at, almost like a road-map of upcoming features. What are being deployed, what version it’s on. And ultimately, it gives you a much more comprehensive understanding of how sophisticated this capability is and consequently, how effectively it could potentially compromise your infrastructure. You know, if you’ve got a malware that’s been-, an information stealer malware being developed to specifically target MacOS and you’re running everything on Windows, probably don’t need to worry about that one. On the other hand, if you’ve got one that’s specifically designed to target Windows and Google Chrome browsers and certain extensions that you know your infrastructure uses, that’s probably going to be a little bit more of a concern.

(TC: 00:26:21) 

Aidan Murphy: Because I know it’s an obvious point, but it’s not actually something we’ve said on the podcast yet and probably something we should. Obviously, though, if you’re an individual, there are real risks of infostealers. You know, I could download some dodgy software that would be very bad for me, but from a business perspective, there is a, kind of, huge amount of risk here that you could have very, very sensitive data or log ins to your systems being, kind of, hoovered up by these pieces of malware that are designed not to be caught by your, you know, detection software and really could do some damage.

(TC: 00:26:53) 

Robert Fitzsimons: Absolutely, and to, sort of, touch on a point that Joe mentioned earlier, talking about the, sort of, malvertising side of things. Like, sometimes these look extremely sophisticated. We had a client, rather, had an interest in several months ago, where they had a branch of their organizations who had, they needed internal communications capability. They didn’t already have one, budgets were relatively tight, and one of the individuals took it upon themselves to find a Microsoft Teams license. They downloaded that instance and shared it with the rest of their team. That you can understand were communicating, continue business as usual. Which is great, nice using his intuition. The trouble was, it wasn’t from a vetted or authenticated site and sometimes, if these things are free there’s very good reason for it. It did, in fact, contain an information stealer, which was then consequently shared throughout the rest of the team compromising all of their devices, and from that business perspective, you have got log in credentials of all users within a given team or as wide as that malware has potentially spread. And if you’re not aware of that, within your organization, it could be particularly persistent, it could hoover up data for a fair period of time, and it’s creating access to an infrastructure, to that organization, which is being sold on the dark web or wherever it may be being distributed. And security teams may have absolutely no awareness of it, until they’ve identified potentially that information stealer log being sold on the dark web, if they’re looking for it.

(TC: 00:28:31) 

Aidan Murphy: Well, I think that’s a really good example again of where the dark web gives you this insight, right. We’re going to come in a little bit more to how cyber security professionals should be protecting against and tackling infostealers. But I know in the specific case you’re describing, Rob, that the reason we know they were impacted by an infostealer is because we spotted that their data was being sold on the dark web and were able to basically, allow them to investigate and find out that it was this infostealer that had come from that software. I think it was Raccoon Stealer, off the top of my head.

(TC: 00:29:05) 

Robert Fitzsimons: Yes, it was.

(TC: 00:29:07) 

Aidan Murphy: If you’re looking at the dark web, at least, you know, you probably want to find out before your data’s up there, but at least there is then an option to go away, mitigate all of those infected employees’ devices, change parts providers, change policies, you know, to take mitigative actions that if you don’t know that its already infected, that you wouldn’t be doing.

(TC: 00:29:28) 

Robert Fitzsimons: Absolutely.

(TC: 00:29:29) 

Aidan Murphy: I will say now, in the show notes, we actually do have that, we have a, kind of, short report summarizing that case, it is a really good example, so if you are interested more in that story, please download that. So, I think to bring infostealers to life a little bit, I wanted to use some examples. I mean, you guys have already mentioned a few strains actually. But maybe if I can just ask you to, kind of, call out one strain each, give a little bit of an overview of it so it’s a little bit less abstract for the listener and they can understand some specific strains. Joe, I’ll come to you first.

(TC: 00:30:02) 

Joe Honey: Sure. So, one of the strains of stealer malware I’ve been keeping an eye on for a while is called Rhadamanthys. It was actually one of the first, sort of, stealer malwares that I started looking into when I joined Searchlight a couple of years ago. So, it was first seen in the, sort of, summer, about August time 2022, but really started to get some traction and started to see a volume of logs being sold in December 2022. It’s pretty cheap. You know, on average, costing, sort of, $200, $300 a month for, kind of, access. So, again, very easy to pick up and start using. One of the interesting things for me about it is A, we’ve seen this develop right from a very basic stealer, all the way through to, you know, very full featured in terms of what it offers. And the actors behind it post their change logs very regularly on dark web forums. Or at least they used to until they were banned from some of the main ones. But, like, post their change logs, they’re seen really engaging with their customer base. What do you want? What would you like? What should I prioritize? So, you know, it’s a very business-like arrangement in terms of how they approach it. And similar to being businesses, you know, they take feedback from their customers, they jump on trends. So, one of the things we saw recently with Rhadamanthys is that it’s using artificial intelligence and particularly optical character recognition to try and extract key information, typically, sort of, crypto wallet seed phrases, from various images and saved files and things like that. Just to try and add more, sort of, value to it. We don’t know the total number of victims for it, but it’s fair to say it’s well into the tens of thousands, if not more. It’s pretty popular, you know, there are only, sort of, 500, 600 posts that we’ve seen in our data set talking about, kind of, Rhadamanthys.

This one in particular is mainly delivered by malvertising. There hasn’t been too much evidence that I’ve seen so far of it being delivered by phishing. But it’s obviously capable of doing so. And again, you know, it’s really well developed. It employs a lot of different techniques to trying to avoid analysis, both in terms of the behavioral type stuff, you know, what is this piece of software doing? When and where and does it do a suspicious network connection at 3 o’clock every single day? But also in terms of anti-sandbox type stuff as well. Trying to detect if it’s being run in a virtual machine. So, yes, it’s a very, kind of, complicated piece of malware that’s, you know, been developed over a good, sort of, two years or more and yes, is unfortunately being used to good effect by cyber criminals.

(TC: 00:32:32) 

Aidan Murphy: I think it’s a great example Joe, I think it really pulls out some of the things we’ve been talking about. The sophistication of this malware, the Malware-as-a-Service model, like you say, taking on board customer feedback and this kind of stuff, which I think, again, for people who don’t look at the dark web as much as we do, I think can often be a shock how much these are really run like businesses.

(TC: 00:32:54) 

Joe Honey: Yes, they’re organized, they have channels for support, they have channels for sales, they have software developers, they have capability to launching bugs and feature requests and stuff. They run probably quite similar to most software businesses, obviously, just a much smaller and much more illegal scale.

(TC: 00:33:09) 

Aidan Murphy: Rob, what example did you bring to the table today?

(TC: 00:33:13) 

Robert Fitzsimons: So, I mean, I was going to talk to Vidar, to a certain degree, which I sort of, covered off so far to a certain degree. I think Vidar’s been particularly interesting from, again, the fact that it’s been around so long. But a lot of these information stealer malwares are, or can be, a bit of a flash in the pan, right? They’re cheap, they can get spun up, pushed out, for relatively little amounts of money and maybe don’t last very long. Maybe for a few months, a year or so. Vidar’s particularly interesting because it’s been around since late 2018, which shows that it’s grown a customer base, if you will, it is listening to feedback, like Joe was talking to just now. People request certain updates to it. They develop it, or the developers of this information stealer malware continuously develop and improve it with additional functionality, additional capabilities to go across multiple platforms, target multiple web browsers and extract more and more data from all of the capabilities that we use to try and prevent our data from being hoovered up. So, it’s obviously-, it’s a very sophisticated information stealer malware that has, I hate to say it, but a lot of love being put into it by these criminals, which is ultimately why it’s stood the test of time and is, sort of, monetized and making a fair amount of revenue. I don’t know what that figure is, but I would be interested to find out. Again, particularly interesting from the fact that they do have communications on the dark web. We can see a number of users around, discussing that activity and promoting updates across a number of different forums, generally Russian-speaking hacking forums, like XSS and Exploit.

But they’ve also got channels across Telegram and Masterdon, as I mentioned earlier. And I have read reports that indicate they also have conversations in social media, social gaming platforms. So, it’s another area that people try, or these criminal actors try and break out of some of these areas to reach new communities. One of the other malwares to, sort of, put this on the other side, obviously, Vidar’s fairly sophisticated, been around a few years. One of the other ones that I was looking at, which I’ve seen but not seen much of, and the reason in that is Meduza stealer. And the reason for that, it only appears to have been around for about a year or so. So, our data set shows it was around, sort of, mid-last year 2023, and I haven’t seen anything in our data set for the last few months. So, it may have been going quiet for a bit. It may have just ceased function altogether. But that was selling in a region of $200 a month or $1,200 for lifetime access. So, again, relatively cheap, but if you think that someone’s spinning this up, offering to provide all the updates and things for free for lifetime access, $1,200 they only need a handful of people to buy into it to make that actually quite a lucrative financial endeavor. And again, why Meduza I found particularly interesting was because of the areas in which it targets. And we generally think of information stealers as targeting organizations and individuals, particularly from, like, a business perspective and trying to get access to our networks and compromise organizations. Meduza was particularly prevalent in targeting online gaming platforms. One of the most targeted games in this case is Fortnight. And the malware in these cases, which is delivered through cracks or hacked versions of the games, which Joe alluded to earlier.

But also looking to, once it’s gone in, capture not just the log in credentials of the individuals but the in-game purchases that these people were making. As we all know, online gaming market, particularly games like Fortnight, are extremely lucrative. There’s a lot of money being traded in that purchase here. So, these being able to target things like Fortnight enables a completely different revenue stream that we don’t often consider on the information stealer side. Collecting these individuals’ data, be it credit card information to, you know, my wallets, mum and dad’s wallets, trying to be associated with this game, to allow their kids themselves to play. And it’s really hard to track, really hard to, sort of, identify that activity because not many people are going to own up to downloading a hacked version of a recently released game.

(TC: 00:37:47) 

Aidan Murphy: I just heard parent listeners all round the world have shivers down their spines at the idea of this. Those are two really interesting examples and yes, I think, yes, Meduza, so like you say, could be one of those flash in the pan ones, maybe we’ll never see it again or maybe it will re-emerge, but a great example of how specialized it can be. Really fascinating. So, hopefully that’s given people quite a good overview of what infostealers are. And then the golden question is how can they be tackled? I’m going to start from a law enforcement perspective, because we’ve got a very recent example of a successful operation against infostealers, which is Operation Magnus, which disrupted the RedLine and META infostealers. Joe, maybe could you tell us a little bit about that?

(TC: 00:38:35) 

Joe Honey: Yes, sure. So, Operation Magnus was very recent. So, on 28th October this year, the Dutch national police, but there were a lot of other law enforcement organizations around the world. So, FBI, Europol, Eurojust, our National Crime Agency in the UK, were all involved. And basically, they announced there was a targeted investigation into the infrastructure behind RedLine and META stealer. That investigation was probably at least twelve months or more in the making and it resulted in at least three servers being taken down, two different web domains involved in, kind of, servicing that malware were taken down. There were three arrests, one in the US, sort of, two in Belgium. So, it was quite a significant blow into the infrastructure of these two stealers. Obviously, they haven’t told us exactly where and how the investigation started and what methods they used for obvious reasons. We do know that it started after some victims approached law enforcement with some useful information and I believe there was an unnamed security company managed to identify some suspicious servers in the Netherlands. And, you know, those two, sort of, chunks of information there were enough to get things moving. Ultimately, law enforcement investigated, they managed to seize, sort of, a couple of servers. They’ve only named one perpetrator, as far as I’m aware, a chap called Maxim Rudometov. Interesting with him, he’s believed to be one of the main developers and administrators behind the two pieces of malware. And he was identified from some pretty poor operational security. So, operational security is the practice of how you stay safe and essentially, anonymous on the dark web. You know, could have completely separate email addresses for your dark web life, your real web life.

You know, separate machines, computers, that sort of thing. In his case, however, I think he used an email address on his, kind of, dark web life, that email address was linked to an Apple iCloud account. When law enforcement got a warrant to search that, they found some very incriminating evidence as part of that. I don’t quite think it was a file saying, ‘I developed RedLine.’ But it was probably as close as you’re going to get. So, yes, it was a big significant blow. It hasn’t completely killed both of those malware, unfortunately, so they took down, sort of, three servers. Law enforcement believe that there were over 1,000, potentially 1,200 servers around the world that are involved in running RedLine and META. But they’ve made it very difficult for criminals to go on and use that. A, obviously they’ve gone after one of the original developers and maintainers of it, so they’ve removed that, kind of support, they’ve cut the head of the snake off, so to speak. Unfortunately, well, they’ve identified a lot of other users of the malware, but these users of the malware and potentially, you know, unknown, unnamed other people around the world may have this, kind of, running on their own infrastructure, their own servers and that sort of stuff around the world. So, they’ve made it very difficult to start off with. They haven’t completely killed it. But one of the interesting things that we’re seeing more and more with law enforcement investigations and operations is they’re starting to include more, sort of, psychological warfare. So, for the Operation Magnus, they set up a dedicated website for it. They posted some very interesting videos about what they were doing and why. They were almost, sort of, trolling people who are using this malware, describing them as VIPs.

Not very important people, very important to police. You know, this, sort of, public posting of data, videos, is, kind of, dipping into some of the tactics of the criminals, but it seems to be working. It’s creating a bit of a stir or a bit of panic of forums and Telegram channels. You know, people are starting to worry, do I need to burn all my computer equipment and start again?

(TC: 00:42:26) 

Aidan Murphy: I’m really glad you’ve brought that up. The parallels between this and Operation Cronos, which we’ve spoken about on previous podcast episodes, this law enforcement operation against Lockbit, which very similarly didn’t completely topple the Lockbit group but was clearly designed to discredit them and this seems to have a very, very similar objective. And like you say, Joe, psychological element to it. So, as an example, in one of the videos you’re describing, at the end they say they’ve given VIP status to META and RedLine users, where VIP means very important to police, this, kind of, threat. ‘We have your data, we know who you are.’ So, like you say, you know, you can continue using the META and RedLine malware but you’re using it at your own risk now and we have shown that we can take down servers and we can arrest people. I think it’s a really interesting element. I like that even in the Eurojust press release they mention the video and they say, ‘The video sends a strong message to criminals showing that the International Coalition of Authorities was able to obtain critical data on the network and will shut down the criminal activities.’ So, really, really leaning on this message that they’re sending to people. They’re really calling it out that it’s not just about the, kind of, technical take down or even the arrests. It’s about the message that it’s put out there to, I guess, users of META and RedLine but also other infostealer strains. Rob, do we know much about RedLine and META, were they quite popular infostealers before they were taken away?

(TC: 00:43:57) 

Robert Fitzsimons: They were particularly popular. We’ve seen a lot of activity related to RedLine, both RedLine and META over the last few years and I think, the, sort of, proof is in the pudding there with the fact that it was concerted effort by global law enforcement agencies to take these guys down. We look in the past of you mentioned Operation Cronos when they took down Lockbit at the beginning of this year. It really showed how much of a focus they put on organizations, particular ransomware groups, who have been particularly prolific. We know there’s a lot of ransomware groups going, but Lockbit were by and large the most prolific group out there, having a lot of activity all round the globe. Law enforcement know that and they want to, sort of, why take out one of the smaller fish if you will when you can cut off the head of a snake and start to sow that distrust around all of the other guys from using it. And I think, we’re seeing the same here. You know, RedLine and META have obviously been massively on law enforcement’s radar. To have a concerted effort like this shows that they are important and hopefully we’ll start to see this-, I mean, as Joe said, we have already seen conversations and people being concerned about, you know, where do we go next? What information do you actually have about us? The likelihood is it’s going to have a really significant knock on impact of people starting to move away from using these, at least for a period of time. So, they can, sort of, let the dust settle, see what they want to potentially do next, but that’s ultimately positive, you know. From an industry perspective, we might get a little bit of breathing space and information stealers and things might not be so prolific for the foreseeable future. But like all of these things, something will no doubt come in its place, maybe next year, and it’ll be, what’s next? I think that’s what we’re all looking to at the moment to understand, what is next? Where it’s coming and what can we potentially do about it?

(TC: 00:46:00) 

Aidan Murphy: Yes. And I think just to give people and idea again, just on these specific infostealers, so the data that the police said that these two infostealers collected included usernames, passwords, automatically saved form data, such as addresses, email addresses, phone numbers, cryptocurrency wallets, cookies. So, again, I know we’ve spoken about this a little bit already with the examples you’ve given, but I think it’s just really important people understand, like, the breadth of the data this is taking and the FBI did specifically call out, you know, this is data that will allow the infostealers, or the people who had the logs, to bypass multi-factor authentications. This is where it becomes very dangerous because, you know, the measures that we usually rely on to protect us, such as having to give a second password or getting a code or your cookies, that’s what this malware is designed to bypass. And they did say this had impacted millions of users before this law enforcement operation, which is obviously a very big number. But as you say, Rob, I think it’s right. It shows that infostealers are in the cross-hairs of law enforcement, if we want to put it that way. In the meantime though, you have both called out quite a few different strains. People can’t rest on their laurels and just assume law enforcement are going to, you know, clean all the infostealers up in the next couple of weeks or months. So, from a cyber security professional perspective, I’m going to ask each of you, what do you recommend people should be doing or looking for or things that they should be putting in place to either protect themselves from infostealers or mitigate their effect. I’m going to start with you, Joe.

(TC: 00:47:37) 

Joe Honey: Kind of, good news and bad news. If you’re doing a lot of the basics well, you know, around cyber security, you are going to minimize your risks. You’re never going to completely eliminate it, because, you know, ultimately, a lot of stealer malware infections do come from human activity. And you know, it’s often quite said the weakest link in the cyber security chain is, you know, the person connecting the keyboard and the mouse together. But if you’re doing things like MFA, that’s a really good way to stop that. It’s not fool proof. If we go back to the Snowflake breach earlier in the year, a lot of the access game there was said to be from credentials that were found freely available on the dark web. And everything from things like stealer malware. You know, MFA wasn’t active on any of those accounts, but having it in place could’ve stopped that. Equally as well, you know, try and give this data as short a usable half life as possible. You know, particularly for key points. If you’re rotating your administrator passwords, you know, once a month. If you’re using a good, kind of, password manager, that sort of thing, to rotate these things through, this data is going to be dangerous for a much shorter period of time, which is obviously going to help out. Another, kind of, quite a strong thing, particularly for sensitive infrastructure is going to be using things like access control lists and allow lists. You know, why can someone in Russia potentially log into your server and do absolutely everything? You want to lock it down to one specific machine on one network somewhere that you know and control and protect. If you can do, sort of, those three things that will do a good chunk of work for you. And then we have the obvious stuff in there on top, you know, make sure everything is patched.

Make sure any antivirus EDI, MDR is up to date with the latest signature version and indicates compromises, you can. And just try and educate your users as well. You know, if you really need a particular piece of software, go through approved channels to do it. Don’t try and save a couple of quid by finding a moody version on Google or YouTube or whatever. Just pay the money, you know, buy them from a reputable source that you can check and audit and control.

(TC: 00:49:38) 

Aidan Murphy: Yes, brilliant, thanks Joe. Rob, is there anything you’d add on top of what Joe’s just given us?

(TC: 00:49:43) 

Robert Fitzsimons: I think Joe’s, sort of, covered all of the key areas there. One thing that I would add that’s understandably fallen out of Operation Magnus is the ESET online scanner for RedLine and META. Understandably, pouring out of this really broad campaign, if you go onto Operation hyphen Magnus dot com, you’ll be able to see the information that’s been put out by law enforcement following this take down. And there’s some really good sources of advice, information around the operation, but this online scanner that E-set have provided for users to utilize to see if their device has been compromised by this particular information stealer that’s either RedLine or META. So, it might be a good opportunity for you just to go and have a look at something like that, see, scan their devices and understand if they have been potentially compromised by one of these information stealers and then ultimately, as Joe said, start putting these processes into place, make sure that we’re as secure as we can be. And ultimately being vigilant. No clicking on these links. No assuming that this new tooling that’s going to answer all our problems in the lead up to Christmas is free for the next couple of weeks only. It’s probably not a good idea to go download and just check before we do any of these things.

(TC: 00:51:02) 

Joe Honey: If it looks too good to be true, it probably is.

(TC: 00:51:05) 

Robert Fitzsimons: That’s the one.

(TC: 00:51:06) 

Aidan Murphy: Yes, it’s a really good point on Operation Magnus as well, I’ll put it in the show notes and the link to the operation where you can actually watch the video I was describing, the trolling video. But as Rob said, probably more usefully, find this guidance and helpful information too around those two infostealer strains. Just to wrap up then, it’s December, which everyone in cyber security knows is the time of predictions. So, just before we finish, I just wanted to ask each of you, what do you think we have coming for infostealers in the year ahead? Rob, you were, kind of, alluding to more law enforcement operations. What do you think is to come?

(TC: 00:51:42) 

Robert Fitzsimons: I think, following Operation Magnus in particular and seeing the focus that they have on information stealer malware, understandably it’s become particularly prolific, particularly accessible and easy to deploy. I think it is going to be on people’s radars more, both from a law enforcement perspective to, ultimately, protect us and organizations as well as individuals. But also from the threat actors’ perspective, right. Yes, they are being targeted by law enforcement, but it is still lucrative and people in the criminal game ultimately want to make money. So, I do think there will be an opportunity for somebody to potentially try and fill this void. Something is going to potentially have to come and fill the place of RedLine and META. Whether it’s going to be something new that lasts for the next few years, or if it’s going to be something for the next few months, who knows? But I don’t think it’s a conversation that’s going to end at Christmas.

(TC: 00:52:42) 

Aidan Murphy: Brilliant, and Joe, how about from your side? What’s your prediction for infostealers in the year ahead?

(TC: 00:52:47) 

Joe Honey: Things are going to change. You know, the dark web ecosystem, cyber security ecosystem constantly changes. There are always new tools and techniques and stuff like that coming through. But yes, as Rob said, I don’t think stealer malware is going anywhere, unfortunately. It’s proven to be lucrative and it’s proven to be useful for the criminals. So, until, you know, us on the good side can take that usefulness away, it’s always going to be there, unfortunately. I think we’re going to see more focus from law enforcement on it. And, you know, we’ve seen a couple of good, sort of, take downs and stuff like that this year. I think that’s going to accelerate. A, because they know how to do it now but also, it’s a big deterrent and it stops a lot of follow on stuff as well. You know, if you can stop a particular type of stealer being involved, you can potentially stop one, three, five, however many cyber attacks later on down the line that would’ve relied on the accessing the credentials and stuff that came from that. So, I think that is very much what we’re going to see. And equally, on, you know, the bad guy side, I think they’re going to continue to innovate. We’re going to see new strains pop up. They’re going to look at new ways to try and make our lives more difficult and, kind of, bypass all the defenses and stuff that we put in place. So, I think it’s a cat and mouse game we’ve got of them finding a new technique, us finding a way to defend against it. That’s going to continue and it’s probably just going to get bigger and faster as, kind of, more AI gets involved on both sides of the fence.

(TC: 00:54:11) 

Aidan Murphy: Brilliant. Well, I’m going to put a positive spin on it and say there’s going to be developments in infostealers but also it looks like some more wins for law enforcement in the year ahead and hopefully, with some good advice from you guys, some success on the cyber security side as well. And I think that’s a good note to draw a line under this episode, and indeed this series of The Dark Dive. A big thank you to Rob and Joe for joining me and a big thank you to all the listeners who’ve stuck with us through 2024 as we explore the deepest depths of the dark web. Fear not, The Dark Dive will return in 2025 and we’ll be back tackling brand new topics and whatever the cyber criminal underworld has in store for the new year. Until then, follow us for free on Apple Podcast, Spotify or YouTube or whatever app you use to listen to your podcasts and work your way through our back catalog. And remember, if you have a question for us, a guest, or a topic you’d like us to cover, you can get in touch with us through the contact details in the show notes. Until 2025, stay safe.