Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.
Written by Dima Khrustalov
Info stealers (aka Stealers) are Trojan malware programs designed to collect and steal information from a victim’s device. Notably, these stealers do not persist on a victim’s machine. Rather, they execute once, collect and exfiltrate all the necessary info, and then self-destruct. The information collected by stealers is sent to a threat actor as a log via email, messenger chat (e.g. Telegram), or to a command-and-control server. Stealers do not require a high level of technical knowledge to operate, and no complex infrastructure to run (unlike botnets, for example). Nevertheless, in skillful hands they are a serious threat due to the sensitive information they harvest from victims. In addition, most of the stealers today can be deployed as a separate module in botnets, increasing their functionality.
The four most popular stealers today in the Russian-language underground community are Raccoon, VIDAR, Mars and Redline.
One of the most notable reasons for these and other stealers’ popularity is their affordability. The table below compares the monthly subscription fees for the above-mentioned stealers:
The cheapest stealer, Mars, sells for $140 per month, while the most expensive stealer, VIDAR, sells for $300 per month. Raccoon and VIDAR are offered as MaaS - meaning that the subscription includes all of the necessary infrastructure and setup (servers, reverse proxies etc.) required to run a malware campaign. These low prices, coupled with the ease of use, lower the entry threshold for cybercriminals.
In addition, there has been an evolution in the underground stealer ‘marketplace’. There are more and more underground services that offer the results of stealers operations for sale. These are often referred to as “logs” or “info logs”. In this case, threat actors do not need to bother with running a stealer at all. All they need to do is contact one of such services and purchase logs of victims they are interested in, while the actual execution of the stealer against the victims, from initial infection to data exfiltration, is performed by the service vendor.
The affordability and ease of use are not the only reasons behind stealers’ popularity. Stealers also offer powerful functionality for a wide range of cybercrimes and fraud. The table below compares the functional categories of the four described stealers:
As it follows from the table, all four stealers possess powerful, diverse functionality that has made them extremely popular with all sorts of cybercriminals and fraudsters who pursue different goals.1 Malware as a Service
About the AuthorDima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.