Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms

-

 

Cyber threat intelligence largely involves the tracking and studying of the adversaries outside of your network. Gaining counterintelligence about your adversaries' capabilities and weaponry is one of the final building blocks for managing a strong cyber defense. In the pursuit of performing this duty, I have been studying how to discover adversary infrastructure on the internet. One good way of doing this has been via leveraging the scan data available through the popular Shodan search engine. If you've not used it before, Shodan periodically scans the entire internet and makes it available for users to query through. It is often used to monitor networks, look for vulnerabilities, and ensure the security of an organization's perimeter. 

But we can also use Shodan for tracking the adversaries. Through the process of fingerprinting - that is to identify unique attributes of IPs on the internet - we can find command and control (C2) servers and login panels belonging to cybercriminals online. Through this process, I was able to identify dozens of infostealer control panel login pages, as well as three infostealer malware families, called Titan Stealer, Patriot Stealer, and Raxnet Stealer, that have not yet been reported elsewhere online (as far as I could tell).

 It all started by searching http.html:"stealer" in Shodan. This revealed several login pages for known and unknown infostealer malware. I have since created a page on my GitHub repo to share some Shodan dorks that help reveal adversary infrastructure.



Misha, Collector, and Titan Stealer

The above Shodan dork revealed dozens of IPs, which if investigated were found to be login panels for infostealer malware families. Misha Stealer and Collector Stealer are two semi well-known malware families. The "Titan Stealer" panel appears to be new with apparently no references online, vendor reports, or social media mentions by other researchers. Looks like one we should track in my books. 


Grand Misha (aka Misha Stealer)

  • Shodan Dork 
    • http.title:"misha" http.component:"UIKit"
  • URLscan Query
    • https://urlscan.io/search/#filename:%22misha.css%22
    • https://urlscan.io/search/#task.tags:%22misha%22

Collector Stealer

  • Shodan Dork 
    • http.html:"Collector Stealer"
    • http.html:"getmineteam"
  • URLscan Query
    • https://urlscan.io/search/#task.tags:%22collector%22

Titan Stealer

  • Shodan Dork
    • http.html:"Titan Stealer" 
  • URLscan Query
    • https://urlscan.io/result/daca0fcd-bbc9-48c8-810d-89fee466b639

Patriot Stealer

The same Shodan Dork http.html:"stealer" also revealed an unreported and new Malware-as-a-Service (MaaS) platform marketing itself as "Patriot Stealer". The paid version of the infostealer malware is reportedly capable of stealing "passwords, cookies, Autofilldata, Telegram session, Persistence" and if you want to buy it you should speak to "@kastr3" on Telegram. Interestingly, the malware leverages Discord webhooks to report to the operator when a victim has been infected and data has successfully been stolen. 


From the Discord language setting in the screenshot on the website and from the description of the group's Telegram channel it appears the developer(s) of the Patriot Stealer are Spanish-speaking threat actors.

Patriot Stealer
  • Shodan Dork
    • http.favicon.hash:274603478
    • http.html:"patriotstealer"
  • URLscan Query
    • https://urlscan.io/result/43a51776-e283-4522-ab29-ea5c7efc174a/ 
  • Telegram Channel
    • hxxps://t.me/patriotstealer



RAXNET Bitcoin Stealer

Again, the trusty Shodan Dork http.html:"stealer" uncovered another new and unreported infostealer malware called "RAXNET Bitcoin Stealer" that targets cryptocurrency users by replacing destination wallet addresses with the cybercriminal's own wallet addresses. The main features of this Malware-as-a-Service (MaaS) allegedly includes "Fully Undetectable, AV-bypass, Private Key Stealer, Online Logs Panel" and has several pricing models from $80 to $150, including "similarity mode" and the "builder" of the malware. The MaaS operators also offer "spreading methods" for $75. Other notable services related to this MaaS were "resell rights", "full video tutorials", "24/7 support", and a "refund policy."

RAXNET Bitcoin Stealer

  • Shodan Dork
    • http.favicon.hash:-1236243965

  • URLscan Query
    • https://urlscan.io/result/c4f7f543-46f5-4051-b3cb-3699d4b99c5c/

  • Domain
    • cryptohax[.]net

  • Telegram
    • @PureTX (hxxps://t.me/PureTX)
  • E-mail
    • punity@protonmail.com
  • YouTube

    • https://www.youtube.com/@bitstorm101 (Joined 17 Nov 2022)

    • https://www.youtube.com/@punxi49 (Joined 21 Jun 2020)

    • https://www.youtube.com/watch?v=oNGIubac9sk (video tutorial)

    • https://www.youtube.com/watch?v=D9iT4VJev28 (video tutorial)




Analysis

The cybercriminal underground continues to evolve, and Malware-as-a-Service (MaaS) offerings have been a significant contributing factor for an increase in cybercrime. Aspiring cybercriminals no longer require the technical skills to perform such attacks, but as little as $150 dollars to run a malware campaign with a multi-featured cybercrime tool allegedly with "24/7 support" from English- and Spanish-speaking malware developers as part of the as-a-Service business model.

This research also highlights that the infrastructure of cybercriminals often includes several common denominators, such as email addresses and Telegram channels to communicate with customers, websites and YouTube channels to advertise products, as well as cryptocurrency wallets to receive payments.

Stealing credentials on a wide scale can be useful for a plethora of attacks. The threat actor who actually stole the credentials is also not always going to be the one who leverages them. This is due to the growing popularity of selling stolen credentials on cybercrime forums and marketplaces.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more