Embedded Files
I’ve been dabbling in OSINT for quite a while during my career, mostly for attributing the anonymous heroes of the internet and, briefly, as a professional conducting investigations and selling intelligence. This journey led me to cross paths with Carlos, a hyperactive figure in the world of OSINT. In our discussions in regards of stealer logs and the fascinating potential of analyzing that raw data in Splunk, he got me a great source for logs and I found myself diving into my IDE to build a parser to get those logs into Splunk.
For those of you that don't know what stealer malware is or what they do, there are many resources out there describing what they do and how they operate. To make your life easier: https://flashpoint.io/blog/evolution-stealer-malware/ Stealer logs are the actual data that is exfiltrated by the malware.
What began as a simple directory parser evolved into a multi-threaded, 2000-line behemoth capable of parsing thousands of records into Splunk, Atlas (which turned out to be quite costly after an ineffective snafu on my part), and MongoDB Community Edition, just for kicks. I'll dive deeper into this topic later, especially after a full rewrite of the code, now that I have a clearer vision of its purpose.
The data in Splunk is incredibly rich, a goldmine for those of us who practice SplunkFu and love crafting dashboards. Therefore, I thought it'd be valuable to share some key findings from this dataset that I've managed to get my hands on. The data is predominantly sourced from the Redline family of malware. Which originates from a public Telegram channel. We have eyes on other families like Lumma2C, Meta stealers Racoon and Mars, all in public Telegram channels.
The current dataset is credential orientated, I have not parsed any cookie, credit card or crypto wallet information, that's going to be part of the next itteration.
Overview of the Dataset and Preliminary Observations
The dataset, primarily consisting of records from the Redline family of malware, has been meticulously parsed to extract significant amounts of data. The process has identified 1,411,071 compromised credentials originating from 19,374 infected machines and has unveiled 37,934 leaked documents of various types. While the data provides an extensive overview, preliminary analysis suggests a potential correlation between malware infections and the use of unauthorised software. However, further research is required to substantiate this hypothesis.
Operating System
The distribution of operating systems among the infected machines provides an interesting insight. Seeing a lot of Windows 7 is not a surprise if we look at browser versions etc. The predominance of Windows 10 Enterprise x64 however is noteworthy.
Windows 10 Enterprise x64 - 969,903 (68.75%)
Windows 10 Home x64 - 307,848 (21.82%)
Windows 7 Ultimate x64 - 27,631 (1.96%)
Windows 7 Professional x64 - 19,691 (1.40%)
Windows 10 Enterprise N x64 - 14,433 (1.02%)
Windows 8.1 Pro x64 - 13,835 (0.98%)
Windows 10 Pro x64 - 11,038 (0.78%)
Windows 10 Enterprise LTSC 2021 x64 - 9,725 (0.69%)
Windows 7 Home Premium x64 - 7,801 (0.55%)
Windows 10 Enterprise LTSC 2019 x64 - 6,289 (0.45%)
Findings in Malware locations
An analysis of the file locations where malware instances were predominantly found has yielded the following results:
1. C:\\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe - 304,701
2. C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe - 189,831
3. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe - 121,530
4. C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe - 113,953
5. C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe - 78,047
6. C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe - 74,996
7. C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe - 53,756
8. C:\Users\MOHAME~1\AppData\Local\Temp\7CB2.exe - 3,442
9. C:\Users\Marco\Documents\GuardFox\owgrPviMuHfa9L2FPt0KRzf9.exe - 3,163
10. C:\\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe - 3,080
Browser Usage
The data indicates certain trends in browser usage among infected machines, which may point towards specific user preferences:
1. Google Chrome - 1,185,671
2. Microsoft Edge - 1,175,030
3. Internet Explorer - 1,012,832
4. Mozilla Firefox - 308,923
5. Brave - 113,849
6. Avast Secure Browser - 18,623
7. Microsoft Edge - 14,888
8. Google Chrome - 13,685
9. Cốc Cốc - 12,884
10. OneBrowser - 11,514
Browser versions
The versions discovered in this dataset are quite telling. At the time of writing this post, Internet Explorer is EOL, Edge is on version 120.0.2210.144, and Chrome is on version 121.0.6167.86.
1. Internet Explorer 11.00.19041.1 - 581,230
2. Microsoft Edge 11.00.19041.1 - 560,087
3. Google Chrome 11.00.19041.1 - 530,526
4. Internet Explorer 11.00.22621.1 - 274,042
5. Microsoft Edge 11.00.22621.1 - 268,328
6. Google Chrome 11.00.22621.1 - 247,473
7. Microsoft Edge 117.0.2045.47 - 184,151
8. Google Chrome 120.0.6099.217 - 179,860
9. Microsoft Edge 120.0.2210.133 - 178,614
10. Google Chrome 119.0.6045.200 - 176,945
Geographical Impact of Malware
The dataset reveals that malware incidents have a broad geographical distribution.
1. Brazil (BR) - 147,650
2. Turkey (TR) - 78,071
3. Thailand (TH) - 69,318
4. Mexico (MX) - 61,701
5. Peru (PE) - 58,038
6. Argentina (AR) - 53,414
7. Colombia (CO) - 49,371
8. Spain (ES) - 47,238
9. Pakistan (PK) - 42,213
10. Bangladesh (BD) - 39,339
Analysis of Compromised Credentials
The dataset provides a concerning overview of password security practices, with a significant number of credentials compromised. I would never have imagined posting this in 2024. Yet admin and 123456 rain supreme.
1. admin - 7,607
2. 123456 - 6,217
3. 12345678 - 2,667
4. Pakistan@123 - 2,567
5. Rit241142 - 2,351
6. 123456789 - 2,080
7. 1234 - 1,635
8. 010007125 - 1,635
9. santos22 - 1,402
10. password - 1,382
Presence of Antivirus Software
Despite the widespread presence of antivirus software on infected machines, the high infection rates warrant a critical examination of their effectiveness. My guess is that these have not seen any recent updates, just like the browsers.
1. Windows Defender - 1,233,384
2. Reason Cybersecurity - 32,030
3. ESET Security - 11,637
4. Norton Security - 6,902
5. Avast Antivirus - 6,880
6. Microsoft Security Essentials - 5,650
7. Malwarebytes - 5,418
8. McAfee - 5,367
9. 360 Total Security - 3,918
10. Norton Security Ultra - 3,477
These infections could have been prevented fairly simply:
Keep your machine updated!
Spend some money on a good AV, my house runs Sophos
Get a password manager, personally I use Dashlane, but anything is better than storing credentials in your browser.
Read more about password managers here.
And very importantly, if not most important, keep an eye on what the kids are doing on your home computer!
Any questions, insights, or ideas are more than welcome. Stay tuned for the follow-up.
Page updated
Report abuse