An Introduction to Stealer Logs
What Is a Stealer Log?
A stealer log is a series of data files generated and compiled by malicious software known as “infostealers.” The log contains personal and sensitive information that has been collated from infected endpoints before being extracted to a command server controlled by a cyber threat actor, where it can be further exploited. Organizations face a significant threat from infostealers and stealer logs. This is primarily due to stealer logs abundance in DDW marketplaces and forums, their constant adaptation, and the innate appeal of stolen data to a broad variety of threat actors.
Data-Stealing techniques
Infostealers leverage numerous data-stealing techniques depending on the malware strain deployed. Form grabbing, keylogging, credential dumping, and screen scraping are all commonly-observed in such attacks. These attacks usually seek to uncover and extract information from elements of the targeted endpoint device.
Web Browsers
Web browsers typically store various types of information, particularly when using their default settings. Infostealers often search for this information in file paths associated with local browser app folders.
Data sought from web browsers includes personally identifiable information (PII) such as usernames and passwords. PII—while usually encrypted—are often stored in close proximity to the decryption key that is also extracted. Browser password managers also often store the associated URL or login portal alongside this information. This enables the infostealer to obtain everything needed to compromise a given account. Personal financial information (PFI) such as credit card numbers and expiration dates that are used for auto-fill purposes can also be obtained from web data or local storage folders.
Email Clients
Modern email clients store significant amounts of information that often includes PII and PFI. Additionally—given its ability to enhance targeted social engineering attacks—threat actors can perceive data contained in email content, attachments, personal and organizational calendars, and contact lists as lucrative.
Applications
Like web browsers, many applications store login details to enhance user experience. Usernames or login email addresses are often “remembered” by the application and are susceptible to access by infostealers. While passwords are not as often readily available, they can sometimes be obtained via the interception of temporarily stored memory. Various types of applications are at risk of being targeted by infostealers. These include social media and instant messaging apps, password managers, cloud storage platforms, gaming portals, and cryptocurrency wallets. Infostealers can either be programmed to seek predetermined associated file paths, or have the capability to dynamically seek commonly used applications or running processes.
Network and Hardware
Infostealers can also seek information associated with a connected network, such as credentials and configurations. Plus, information that can assist in bypassing authentication procedures and enabling persistent access such as cookies, access tokens, and other session data. Infostealers also look for data surrounding system hardware and installed software. This can aid the threat actor in identifying vulnerabilities and establishing the most effective subsequent attack techniques.
Stolen Data Quality
The quantity of stolen data also varies significantly. Stealer logs range from a few megabytes for those containing usernames and passwords, to tens of megabytes for those consisting of extensive browser information, to hundreds of megabytes or more for those that house large data sets or images.
- Depending on the malware leveraged and the threat actor’s intent, the extracted information can also be encrypted. This can aid in the attacker’s obfuscation, make it more difficult for victims to determine what information has been stolen, safeguard the data’s integrity during transmission, and protect information deemed particularly sensitive from other threat actors.
Raw Stealer Logs
In its raw form, a stealer log is usually stored as a series of .txt files packaged in an archive file such as a .zip or .rar. At this point the log may be structured in a relatively unorganized way. So, it may contain some information that is unusable, irrelevant, or carries no monetary value.
Logs at this stage are often subject to some level of parsing. Parsing is an indistinct process intended to organize the contents into distinguished categories (such as credentials, credit card details, and browser data) as well as to determine the legitimacy and usability of information.
Parsing is usually undertaken by specialized programs. These programs are often included within the leveraged stealer malware service, bot programs available in instant messaging (IM) platforms such as Telegram, or bespoke written scripts.
The extent to which raw stealer logs are parsed depends upon the stealer malware leveraged and its configuration, the data contained, and how the threat actor intends to conduct subsequent exploitation.
Some of the possible benefits of parsing data from stealer logs include:
- Increased ease of navigation and searchability;
- An easier format for victim behavior analysis to take place;
- An opportunity to remove any irrelevant, invalid, or otherwise unusable data; and
- A data format more likely to be compatible with software programs and automated tools used to further exploit the data, lessening the need for custom scripts.
Stealer Log Advertisement and Sale
The threat actor responsible for obtaining the stealer log may choose to advertise it for sale in specialized stealer log marketplaces that exist in both DDW forums and IM platforms. In 2024, the most popular stealer marketplaces are almost certainly Russian Market, Exodus, and the recently advertised-for-sale 2EasyShop. Plus, numerous Telegram-based bot services. These marketplaces often categorize and group victim data together. Categorization can be by region, sector, or type, enabling buyers to easily obtain the information they seek. Additionally, logs are also traded in DDW forums such as xss, Exploit, and Blackhat Forum, though in lesser quantities.
Stealer Log Price Ranges
Information | Price Range |
Raw stealer logs containing a variety of data such as credentials, financial information, session tokens, and hardware specifications | Between USD 1 and USD 25, depending on the marketplace Generally, Exodus (which sets prices according to the number of affected assets) demands the highest prices and Russian Market (which sets prices according to the age of the log) demands the lowest. |
Datasets with a focus on session tokens and browser cookies | Often granted via a subscription fee, with many services charging approximately USD 30 for one week access, USD 60 for one month access, or USD 500 for lifetime access |
ULP rows (rows of information detailing login credentials accompanied by a URL to their relevant login portal) | Usually granted via a subscription fee, with many services charging approximately USD 60 for one month access or USD 500 for lifetime access Can also occasionally be obtained for free, particularly by members with enhanced reputations or in return for specific forum currencies |
LP sets and combologs (datasets containing multiple login and password combinations) Combolists are often compilations of this data and are usually outdated and unusable. | Similar pricing structures to ULP rows Well-known cloud-based service AggressorDB charges USD 720 for three months, granting access to all available LP rows for the length of the subscription. |
Stealer Log Pricing Factors
The stealer log demands various prices depending on factors such as the information contained, its age (the date of information extracted), and the country of the victim. Areas deemed more lucrative generally fetch a higher price.
- Buyers of this information may opt to exploit the data in subsequent cyberattacks. Or, they may repackage it into larger sets of stolen data, which could demand a higher price.
- Alternatively, the threat actor may leverage the stolen data themselves. This is more likely if the stolen information enables straightforward network access. And if the attacker possesses the technical expertise to exploit it. Following this activity, the threat actor may sell the data nonetheless.
Who Is Creating and Buying Stealer Logs?
Threat actors leveraging stealer malware vary significantly in their technical expertise, experience, resources, and motivations. The vast majority are almost certainly financially-motivated, seeking to generate illicit funds either through the sale of stealer logs, or by exploiting their contents. However, stealer malware is also used by threat actors with political, ideological, and punitive motivations.
Common Threat Actor Motivations
Financially motivated
Malicious individuals and groups leverage stealer malware for financial gain. Some cybercriminals opt to use the stolen data themselves to enable further malicious exploitation. This includes the deployment of further malware, digital extortion, or account takeover. Other cybercriminals use them to establish initial network access that can then be sold, providing a supply to the array of threat actors seeking to conduct malicious cyber activity.
Ideologically motivated
Various hacktivists that are motivated by ideology deploy stealer malware with the ultimate aim of causing disruption or inflicting reputational damage. Hactivist groups often target organizations deemed to be associated with a particular ideological, political, or social belief. These can include government departments, religious institutions, and non-governmental organizations (NGOs).
Stolen credentials can be used to gain access to personal and corporate communications before leaking them with the intent of causing embarrassment and public distrust. Session cookies are also exploited. These can grant the attacker initial access and enabling lateral movement toward areas of the network containing sensitive information, which can be leaked or used as extortion leverage.
Politically motivated
Highly capable advanced persistent threat (APT) groups and nation state-sponsored or affiliated cyber capabilities use stealer malware to target both opposing state governments and associated NGOs, often in espionage campaigns. These threat actors are usually seeking to gather information that can be used to improve their geopolitical stature; achieve a strategic military, technological, or economic advantage; or conduct sabotage by stealing sensitive or proprietary information.
While almost certainly less prominent, a threat also exists from employees and other insiders, as well as competing organizations. Both can gain advantage from illicitly obtaining proprietary, trade, and customer information. The former most likely seeking financial gain or punitive retribution and the latter pursuing a competitive edge over their rivals.
How Stealers Are Operated
The majority of prominent stealers are operated as a service and are often advertised as either stealer-as-a-service (SaaS) or malware-as-a-service (MaaS). These services offer threat actors a multifaceted and relatively inexpensive method of deploying versatile malware. They also lower the bar for required technical expertise. Many stealers are available to threat actors, offering a variety of stealing techniques, reputations, information targeted, prices, code languages, customizations, obfuscation methods, and antivirus evasion. As of the writing of this report, some of the most prominent stealers include StealC, Vidar, and LummaC2.
Stealer Service | Price Options | Features |
StealC | USD 200 - 1 Month USD 500 - 3 MonthsUSD 800 - 6 Months | Steals information from web browsers, instant messaging platforms, and email clientsCan be configured with customized file-grabbing capabilitiesBased upon other prominent stealers, such as Vidar and Raccoon |
Vidar | USD 130 - 7 Days USD 200 - 14 Days USD 300 - 30 DaysUSD 580 - 60 Days USD 750 - 90 Days | Steals information such as IP addresses, credentials, and banking dataCan be used to facilitate further malwareCustomizable functionality |
LummaC2 | Different packages that include varying functionalities: USD 250 - “Experienced”USD 500 - “Professional” USD 1,000 - “Corporate” | Targets information found in browser extensions, cryptocurrency wallets, and multi-factor authentication (MFA) tokensNovel anti-sandbox techniques that aid in avoiding detection, evading security methods, and establishing persistence |
What Are Some Common Misconceptions About Stealer Logs?
“Data contained in stealer logs is new, relevant, valuable, and exploitable.”
- Stealer logs for sale often contain old or outdated credentials and information, many of which have appeared in numerous previous data breaches. By the time exploitation is attempted, victim users may have changed passwords or closed accounts, rendering the data obsolete. Stealer logs also often contain fake or manipulated information to bolster the file size and attract potential buyers.
- While some logs contain valuable corporate credentials, many are from personal devices with limited value to threat actors. Research indicates that about 1 percent of logs pertain to corporate victims.
- Not all data in stealer logs is immediately exploitable. Factors such as MFA, account lockouts, and changed passwords can limit the utility of stolen credentials.
“Organizational data in a stealer log must have come from a recent data breach.”
- Threat actors often compile stealer logs from multiple sources and timeframes. This means that a single compilation may contain information collected over an extended period, not just data from recent infections or breaches. Additionally, threat actors often resell and repackage stealer logs in various combinations. This can lead to fresher data sitting alongside older data, creating a misleading perception of the data’s recency.
“My organization or network was targeted specifically.”
- While stealer logs may contain corporate information, this does not necessarily imply that the organization was specifically targeted. The presence of such data is often a result of broader, non-targeted malware campaigns. These affect individual users who happen to have access to corporate resources. This information is often obtained via breaches of third parties when employees leverage corporate credentials on their personal devices or use corporate devices for personal use.
“My information in a stealer log indicates that a broad compromise of my network has taken place.”
- The presence of corporate credentials in stealer logs does not automatically mean the organization itself has been breached. The presence of corporate credentials in stealer logs is often a result of individual user compromises rather than a wider organizational breach.
How Can Your Organization Mitigate the Threat?
The diverse information found in stealer logs is leveraged for malicious activities by a range of threat actors of different capabilities and motivations. Individuals and organizations mitigation strategies must therefore be equally holistic. They must address the full scope of network access vectors that can be targeted by an attacker in possession of credentials, cookies and tokens, or other browser data. Ensuring that basic cyber hygiene measures are properly enacted and scrutinized can reduce the likelihood of both being targeted by stealer malware and any subsequent exploitation.
- Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
- Implement network segmentation to separate resources by sensitivity and/or function.
- Implement secure password policies, with phishing-resistant MFA, complex passwords, and unique credentials.
- Leverage cyber threat intelligence to inform detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).
- Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
- Develop a comprehensive incident response strategy.
- Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
- Deploy a holistic patch management process. Ensure all IT assets are updated with the latest software updates as quickly as possible.
- Proactively monitor for compromised accounts being brokered in DDW forums.
- Ensure employees are aware of contemporary cyber threats and educated in how to recognize and report suspicious activity.
- Configure ongoing monitoring for Compromised Account Credentials.
Dan Curtis
Senior Intelligence Analyst
Dan has over 10 years of experience in delivering intelligence analysis, threat intelligence, and security management solutions to customers and stakeholders across the public and private sectors. Having worked in a diverse span of high-tempo environments, Dan is well-versed in producing and delivering the timely intelligence needed to understand the tactical and strategic threats faced by organizations and individuals.
Tags: Cyber Trends, Malware