A Quick Look Inside Data Stealer Logs

 

Organizations adjust to changing tactics. This includes both legitimate businesses and criminal enterprises. One example is ransomware. Years ago, ransomware was about holding people’s data hostage unless they paid to get it back. While that is, unfortunately, still an effective business model, some businesses got better at protecting their backups and being able to recover their data without paying the ransom. Once this happened more frequently, ransomware operators needed to adjust their tactics slightly. This adjustment was stealing a copy of an organization’s data for themselves and threatening to release it publicly on the dark web if the ransom was not paid. This caused some businesses that could recover their data to pay the ransom still to avoid sensitive data being released publicly.

Botnets have been around the internet for a long time. A botnet is where a hacker places malware on many systems to gain control of these systems and use them for various purposes, including denial of service (DoS) attacks against websites, video game players, etc. Recently, these botnets have started to use their access to generate data stealer logs, which are being used extensively in the criminal underground.

A data stealer is malware designed to steal sensitive information from an infected computer or network. This information can include login credentials, financial data, and other personal information. Data stealer logs refer to the records created when a data stealer is active on a system.

The information in data stealer logs can vary depending on the specific malware. However, it typically includes details such as websites that a system visits and the credentials they use to access those sites. This is why data stealer logs are becoming so popular on the criminal underground. It’s not the fact that someone is capturing information from 1,000 systems, it’s that one of those 1,000 systems is owned by an employee at a Fortune 500 company, and the credentials they use to access their work network just got captured by the attacker. For years attackers (and pen-testers) have used credentials from breach data to attempt to access their employer’s network in hopes that some users have reused their passwords. These data stealer logs can be even more effective since the access credentials are captured in real-time.

As more people are becoming interested in data stealer logs, I wanted to write a blog post showing what these logs look like. These logs contain current data (January 2023), so I will do my best to censor sensitive information.

In the image below, you can see that these logs are organized by the system they were acquired from and the data of their acquisition.








Looking inside the folders, you see a variety of different files, including:









Screenshots of the system:






Passwords:










Browser Autofill:






In the “FileGrabber” subfolders, there are a variety of gathered documents from the systems:

 









For an attacker, the information in these logs can lead to easy and immediate access to these users’ email accounts, PayPal accounts, online banking information, and potentially their employer.  Two-factor authentication may help protect some sites depending on how it's implemented. Still, with this access, a determined attacker might be able to intercept the message (for instance, if it’s a code sent to the user’s email) or potentially use this access to pivot to the user’s mobile device for SMS intercept.

The screenshots in this blog post showcase the alarming capabilities of malware data stealers. They can infiltrate systems undetected and exfiltrate sensitive information without the user realizing it. This is an excellent reminder for individuals to use two-factor authentication, such as Google Authenticator. For enterprises, it may be worth considering monitoring these logs to get alerted if credentials to your network appear in them.  

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more