W1 Feb| EN | Story of the week: Stealers on the Darkweb

Hyunmin Suh
Published in
7 min readFeb 3, 2021

Co-author: Minjei Cho, Researcher at S2W LAB

Before deep dive into credential/info stealers in the dark web, let’s have a look at the term.

  • Credential/Info Stealer — malware that is collecting credential information such as login information saved in browser. It is often associated with Remote Access Tools (RATs) & Botnets.

Much has been discussed about the stealers and the market interlinked with the dark web and surface web, but there aren’t many simple and easy-to-understand diagram in accordance with the supply chain how this malicious ecosystem works from the dark web to the surface web. To help you better understand, we’ve attempted to divide the system into five stages based on what we observed.

1. Sellers of the stealer

AZORult was known to be the one of the most notorious stealer, but the author has stopped its maintenance in 2018. However, the source code of AZORult is still shared and modified by independents which claims to be the latest version.

Besides AZORult, there are two other famously mentioned stealers,
Vidar stealer and Raccoon stealer.

Vidar stealer is sold on a Russian speaking hacking forum and has operated since Nov, 2018. The price of Vidar ranges from $130~$750 depending on the usage period. Vidar is written in C++ and it searches wide range of following data:

  • All popular browsers of different bit sizes (passwords, cookies, autofill)
  • Wallets of cryptocurrencies
  • CC — Card data other than CVV
  • Files
  • Telegram authorization (Windows)
  • Browser history (Last 10,000 entries from a specific browser)

Raccoon, also found on a Russian speaking hacking forum, has operated since April, 2019. The price ranges from $75~$200 depending on the duration which has a similar pricing scheme to Vidar, and other stealers in general. It is written in C/C++ and it works on 32/64-bit systems without dependencies on .NET framework. Features include:

  • Information found in popular browsers (passwords, cookies, autofill)
  • IP
  • Geographical information
  • Credit Card
  • Wallets of cryptocurrencies
  • System Information

2. Distribution method

There are various attempts to lure victims to click on a risk link, like targeting high-traffic torrent, redirecting a site hosted with the malicious payloads or disguising it as an installer file. In the case of South Korea, Vidar is distributed as an installer file disguised as KMSAuto which is used for Windows genuine product validation. https://asec.ahnlab.com/en/17633/

Vidar disguised as KMSauto authentication tool, source: ASEC Blog

Stealer can also be distributed within a ransomware campaign. PC risk published an article that Vidar was once used with Gandcrab campaign (2019) that the stealer took a role of downloading additional forms of malware which showed it was more capable than just an info stealer. https://www.pcrisk.com/internet-threat-news/14270-vidar-and-gandcrab-distributed-in-same-campaign

Vidar and GandCrab distributed in the same campaign, source: pcrisk.com

Later on, it appeared in a new spam campaign along with Nemty Special Edition Ransomware targeting South Korean in May 2020. https://asec.ahnlab.com/ko/1316/

(Left) Fake job application, (Right) Spam Emails masquerading as ‘Korean Fair Trade Commission’, source: ASEC blog

Inside the attachment of the fake job application email, two executable files exist in a compressed format (.zip) shown in picture below.

Two executable files compressed in attachment of the fake job application email, source: ASEC blog

Both executables are disguised as Nemty and Vidar. While Nemty ransomware focusing on encrypting user files, Vidar is used to exfiltrate credential information in this instance.

3. Exploring the details of stealers

Let’s have a look at the details of stealers, main functions and how they work.

Main functions of stealers

Main functions of stealers can vary depending on developers; however, most of stealers we observed share common functions as below.

#Collect Browser Information

  • Passwords
  • Saved Logins / Autofills
  • Payment Methods
  • Cookies

#Copying Files

  • Copy all files from a certain directory
  • Copy files
  • Specific Apps or Software files ( Bitcoin wallet, Telegram, etc )

#Send System Information

  • OS version
  • Username
  • IP Address

#Account theft in various applications


#Additional Malware Download

How Stealers Steal Data

Chrome and other browsers based on the Chromium engine (Opera, Yandex, etc.) store sensitive data in the same location in general.

Stealer can steal information stored in the browser by performing decryption with the user’s authority. In the case of Chrome, the credential information is normally encrypted and stored in SQLite format if the user chooses the option to save the login information. If the user revisits the site, chrome browser will decrypt the information stored in the SQLite database with user’s authority which the malware can do the same.

Example of Imported Login Data of Chrome Browser to SQLite

4. Stolen Information evidenced in DDW (Deep, Dark Web)

Information obtained fraudulently by stealers are often observed in three areas.

1) Botnet Market

Genesis Market is known to be the biggest dark web market specialty in followings:

  • FingerPrints(FP)
  • Cookies
  • Inject Scripts info
  • Form Grabbers (Logs)
  • Saved Logins
  • Other personal data obtained from different devices in the web
Main page of genesis market

Bots are sold in following format:

The price of each product seems to fluctuate substantially depending on the importance of cookies and its quantity. The average price of product usually positioned from $10~$30 as seen in the above picture. However, if the number of cookies is sufficient and its information is highly relevant to financial accounts, the price may take up to $350.

2) Carding forum

A perfect example of carding site is ‘Joker’s stash’ but the operator of Joker’s stash claims to leave for a retirement a month after the domain seizure taken by FBI and Interpol. https://threatpost.com/jokers-stash-carding-site-taken-down/162548/

Despite the absence of Joker’s Stash, there are still flooding number of carding sites in Russian speaking forums selling credit card information. There can be many other techniques to obtain credit card information from the victim’s device, and stealers will do such a thing to collect all the credit card information viciously to be dumped and sold on carding forums.

3) Hacking forum

The stealers’ logs are not just sold in the carding forums and botnet markets but they are often shared in closed Russian speaking hacking forums. The below picture is posted this early week 1st of February, 2021, titled ‘858 LOGS MIX WORLDWIDE FOR FREE 2020’. These logs are often shared without compensations, and the size of logs files can range from couple of MBs to tens of GBs.

5. Where to use?

Based on our research, there are three assumptions of buying and sharing stealer logs.

  1. Finding any financial related accounts such as paypal login information in order to get a fraudulent access to the account.

In Genesis market, it is not hard to find a Paypal login information which stored in the chrome browser. Detail information can be seen after purchasing the product.

A picture below is a sample of pay account found in the stealer logs which was shared on an Russian speaking hacking forum.

It may require many tries to find an account with big valid budgets, but the activity of sharing botnet/stealers logs doesn’t seem to decrease.

2. Stealing corporate login information of the victim trying to access to its corporate portal remotely

We have observed many urls that are seem to be corporate related accounts such as azure or aws, cloud-like accounts.

Adversary favours the accounts named ‘administrator’ OR ‘admin’ will likely be attempted with brute force attack.

3. Information gathering at a national level

In Genesis market, there is a dashboard showing the list of current bots per country and how many have been added. Since the bots are classified with the country code, adversary or the ‘client’ can have an intuitive view of victims by country. In this sense, the information can be efficiently collected if the user is targeting specific country or language.

In overall, we have observed the supply chain and its distributional channels of stealers in five stages. As already mentioned earlier, much has been discussed about stealers, botnets, markets or hacking forums but we would like to emphasize the fact that the dark web is very closely interlinked with the surface web and that it can always be a threat to anyone regardless. Understanding the circulation of stealers in cyber criminal ecosystem will eventually become a great help to preventing more victims.