Secureworks research finds stolen logs have grown 670% on Russian Market, as infostealer malware usage dominates
In its latest report, The Growing Threat From Infostealers, the Secureworks Counter Threat Unit™ (CTU) has revealed a thriving infostealer market that serves as a key enabler for the most damaging forms of cybercrime such as ransomware attacks.
Infostealer malware, which consists of code that infects devices without the user’s knowledge and steals data, remains widely available to buy through underground forums and marketplaces, with the volume of logs, or collections of stolen data, available for sale increasing at alarming rates.
On the Russian Market alone, the overall growth was 670% between June 2021 and May 2023.
“Infostealers are a natural choice for cybercriminals who are looking to rapidly gain access to businesses and then monetise that access,” said Don Smith, Vice President, Secureworks CTU. “They are readily available for purchase and within as little as 60 seconds, generate an immediate result in the form of stolen credentials and other sensitive information.”
He added: “However, what has really changed the game, as far as infostealers are concerned, is improvements in the various ways that criminals use to trick users into installing them, such as fake messaging apps and cloned websites. That, coupled with the development of dedicated marketplaces for the sale and purchase of this stolen data, makes it even harder for victims to detect and remove infostealers.”
Infostealers can easily be installed on a computer or device via phishing, infected websites, malicious software downloads and Google ads. A log represents the complete collection of assets that can be stolen from a victim’s endpoint, from cookies through to stored credentials.
In 2022, stolen credentials accounted for almost one in 10 of the incident response engagements Secureworks was involved in and – from April 2022 to April 2023 – were the initial access vector (IAV) for 34% of ransomware engagements.
Highlights of the report
In the report, Secureworks researchers analyzed the latest trends in the underground infostealer market, including how this type of malware is becoming more sophisticated and difficult to detect, posing a challenge for defenders of corporate networks.
Key findings include:
- The number of infostealer logs for sale on underground forums continues to increase over time. On Russian Market alone, the number of logs for sale increased by 150% in less than nine months, from two million on a single day in June 2022 to over five million on a single day in late February 2023. In a period of nearly two years (measured on a single day in June 2021 and a single day in May 2023) the overall growth rate for the number of logs for sale on the Russian Market was 670%.
- Russian Market remains the top seller for infostealer logs. At the time of this report, Russian Market offers five million logs for sale, which is around ten times more than its nearest forum rival 2easy. Russian Market is well-established among Russian cybercriminals and used extensively by threat actors worldwide. Russian Market recently added logs from three new stealers, which suggests that the site is actively adapting to the ever-changing e-crime landscape.
- Raccoon, Vidar and Redline continue to be among the top three infostealer logs for sale. On a single day in February, the number of logs, or data sets of stolen credentials, among these popular infostealers on Russian Market for sale were:
- Raccoon: 2,114,549
- Vidar: 1,816, 800
- Redline: 1,415,458
- Recent law enforcement action against Genesis Market and Raid Forums has impacted cybercriminals’ behavior. Telegram has been a beneficiary of this, with more buying and selling of logs for popular stealers such as RedLine, Anubis, SpiderMan and Oski Stealer shifting to dedicated Telegram channels. Despite the arrests of multiple users and the takedown of 11 domains associated with Genesis Market, the Tor site remains operational with logs still available for sale. However, activity on the marketplace has slowed, as criminals have begun discussing the situation on underground forums, expressing doubts about the marketplace’s trustworthiness.
- A growing market has emerged to meet the demand for after-action tools that help with log parsing, a manual and challenging task often left for more experienced cybercriminals. As the number of infostealers and available logs increases, it is anticipated that these tools will continue to become more popular and help to lower the bar for entry.
Much like the general cybercrime ecosystem, the successful development and deployment of infostealers relies on individuals with a broad range of skills, roles and responsibilities. The rise of malware-as-a-service has fostered innovation among developers to improve their products and appeal to a wider range of customers.
For example, Russian Market now offers users the option to preorder stolen credentials for a specific organization, business, or application, and all that is required is a $1,000 deposit into the site escrow system. The pre-order service comes with no guarantees, but it enables cybercriminals to graduate from being opportunistic to targeted.
“What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially lucrative for relatively low skilled threat actors to get involved. Coordinated global action by law enforcement is having some impact, but cybercriminals are adept at reshaping their routes to market,” continued Smith.
“Ensuring that you implement multi-factor authentication to minimize the damage caused by the theft of credentials, being careful about who can install third-party software and where it is downloaded from, and implementing comprehensive monitoring across host, network and cloud are all key aspects of a successful defence against the threat of infostealers.”