The fundamental law of market economics dictates that as demand increases for a particular good or service, the quantity of supply rises in turn. The underground economy is no exception. The rapid rise of cybercrime has created ample opportunities for Initial Access Brokers, who have exploited the skyrocketing demand for outsourced access to create a booming dark web industry netting an estimated $600,000 for sold network access per quarter. But how do these brokers gain access in the first place to stock their supply? Cybersixgill’s research reveals that, for Initial Access Brokers, ‘stealers’ are the malware of choice.
In the underground economy, the services of initial access brokers are in high demand for any aspiring cybercriminal. For a fee, underground markets and individual threat actors sell access to compromised endpoints and corporate logins, webshells, CPanels, or via various remote protocols such as RDP and FTP, allowing other cybercriminals to buy the first step into their targets’ networks.
For as little as several dollars, attackers can purchase access and gain a steady foothold into the targeted system, and from this beachhead, deploy ransomware, siphon system resources, harvest confidential information, and assume control of logged-in financial accounts. Considering how lucrative ransomware has become for attackers, it is unsurprising that these initial access markets are incredibly popular among ransomware operators, who no longer need to invest resources to gain entry on their own.
As we reported in our 2021 State of the Underground report, inventory in these markets is booming. In 2021, access to 4,286,150 compromised endpoints was sold on the underground, a massive 457% of 2020’s figure (937,430).
But how do these markets gain access in the first place? How are the attackers successfully compromising endpoints in a scalable way that allows them to sell access in bulk?
While not every access market reveals its secrets, one of them fortunately has. Specifically, this market sells data that was exfiltrated from compromised machines. This data includes login details and cookies, which allow buyers to presumably log into the victims’ accounts and access the sensitive data and resources that are stored wherein.
As can be seen in the screenshot below, data exfiltrated from one such compromised machine is advertised for sale on this market. The data extracted from this machine, located in Ohio, includes login information for Google and Microsoft Live accounts, as well as for Roblox and Discord. As seen below, in their listings, the market prominently declares which malware was used to compromise the data for sale. In this case, it was Redline.
A post from an underground initial access market, which mentions that the system data was procured using Redline stealer
Redline belongs to a category of malware known as infostealers or simply stealers, which gather login and other system data and relay the stolen information to the attacker.
Taking a closer look, we determined that of the 4,368,909 items sold on this market from January 1, 2021 to March 1, 2022, five different infostealers were used: Taurus, Raccoon, Azorult, Vidar, and Redline.
All of these malware families are well-established and well-documented. Just a few weeks ago, for example, researchers uncovered a campaign distributing Redline via links in the description of Youtube gaming videos.
Interestingly, while Vidar and Taurus alone were responsible for over 60% of compromised machines over the entire 14-month period, Redline grew steadily in popularity, eventually dominating items listed on this market. In every month since May 2021, Redline never accounted for less than 77% of all compromised machines.
Behind the Stealer Curtain
Notably, these five infostealers are all malware-as-a-service offerings, meaning that they are sold publicly on the underground for anyone to purchase. (This is in contrast with malwares such as Emotet, which are developed and operated by a single cybercriminal group for its own operations.)
Below, we have listed posts from underground sites selling all five stealers. These posts include technical descriptions of the malwares’ capabilities, as well as screenshots of the malware in operation.
Vidar stealer for sale in November 2018
Taurus stealer for sale in April 2020
Redline stealer for sale in March 2022
Raccoon stealer for sale in December 2021
Azorult stealer for sale in March 2022
A quick assessment of the posts suggests that the actors behind the stealers are not related – the five posts were all promoted in different forums, and each post was written in different tones and structures.
The prices for the stealers also vary. For example, Raccoon costs $1,000 for a six-month subscription, while Vidar costs $300 per month, and Redline costs only $150 for the ‘Lite’ version or $200 for the ‘Pro.’
This relatively inexpensive pricing lowers the entry barrier for cybercriminals of any level of sophistication, allowing any interested threat actor to acquire and deploy the malware. As a result, we see many different actors selling logs (compromised usernames and passwords), which, in their admission, were procured from machines that they infected with stealers.
An actor selling compromised data procured with the Raccoon stealer
Furthermore, within the forums and markets of the underground, there is significant chatter among cybercriminals discussing these stealers, sharing tips and instructions for their effective deployment, and comparing the different options on the market:
A discussion between threat actors comparing stealers to determine which is preferable
Within the threat actor community at large, the more prominent and advanced cybercriminal groups generally use their own ‘in-house’ malware, developed and customized for their particular brand of attack while ensuring that no rival actors can compete by using the same weapon. It is therefore quite interesting that such a major underground access market uses five off-the-shelf infostealers in order to procure its massive inventory of over 4.3 million compromised endpoints.
While unexpected, this use of out-of-the-box stealers demonstrates that malware-as-a-service available for purchase on the underground is powerful enough to fuel one of the largest access markets in the cybercriminal ecosystem, while also affordable and usable enough for regular threat actors to procure and operate.
Simply put, anyone can pay just a few hundred dollars for well-proven, high-quality malware. With a little creativity, such as a malicious link hidden in a YouTube video description, threat actors can easily deploy this malware to target machines and exfiltrate credentials to steal and sell for a few dozen dollars on underground forums. More advanced threat actors, such as those behind initial access markets, can deploy the infostealers at scale..
These credentials are then bought by other cybercriminals, among them, major ransomware groups who use them to gain access to compromised systems, encrypt the network and extort millions of dollars in ransom. Altogether, it is a very refined steal.