Table of contents
In the first of the two-part blog post on the Russian-speaking infostealer ecosystem, Sekoia.io analysts highlighted the main distribution channels used by cybercriminals to spread their infostealers to a large public. In this second part, we share our analysis of the phenomenon of large-scale data theft, notably focusing on “logs”, i.e. stolen data collected by the infostealers. Since both financially-motivated and State-nexus threat actors add infostealers to their malware toolset, Sekoia.io monitors and analyses in-depth this infostealer ecosystem to follow the trends.
This blog post aims at presenting the life cycle of logs, the cybercrime marketplaces dedicated to logs and the noticeable schemes recently used by threat actors to exploit the stolen data. It is based on the monitoring of threat actors’ activities on underground forums and Telegram channels, as well as open source reports.
The log that hides the forest of information
In a cybercriminal context, a log is data collected from a host, compromised by an infostealer. A log usually contains sensitive information stored on, and about, the user machine, including:
System information: OS version and architecture, computer name, user name, CPU and GPU information, keyboard language, hardware ID and other hardware information; Network information: IP address, user-agent, location; Software information: installed applications, running processes; Web browser data: URLs/cookies, URLs/saved credentials, history, autofill, bookmarks, stored credit card information, browser extension data; Applications: local data from installed software, including email clients, messengers, cryptocurrency desktop wallets, FTP, VPN; Documents: user’s documents on the computer (often matching