Full Report
Notice The Infostealer Logs analysis report is a report that analyzes various Infostealer logs (RedLine, Raccoon, Vidar, Meta, etc.) collected from the deep and dark web including Telegram. Please note that the source and content of the report cannot be verified in part. Infostealer Logs Analysis Report Introduction The purpose […] 게시물 Infostealer Logs Analysis Report이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: Infostealer Malware Variants (RedLine, Raccoon, Vidar, Meta)
## Overview
This summary focuses on analysis derived from aggregated logs collected from various Information Stealer (Infostealer) malware families, including RedLine, Raccoon, Vidar, and Meta stealer. The analysis provides insight into the threat actors' strategies, the types of data targeted, and the infection patterns observed from nearly 28.3 million infection cases between August and October 2024.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Likely Windows (inferred from standard system paths and legitimate processes mentioned like `regasm.exe`, `msbuild.exe`)
- Capabilities: Data exfiltration, specifically targeting user information, system details, location, and potentially credentials stored on infected systems.
- First Seen: Not explicitly stated, but the analysis covers logs from August to October 2024.
## MITRE ATT&CK Mapping
The observed behavior points toward the following general ATT&CK techniques associated with credential and information theft:
- **TA0010 - Credential Access**
- T1555 - Credentials from Password Stores
- T1003 - OS Credential Dumping (Potentially implied by credential collection)
- **TA0009 - Collection**
- T1119 - Collect Information by Automated Collection
## Functionality
### Core Capabilities
The analysis focuses on data fields extracted from logs, indicating the malware's success in gathering:
* User Information (UserInfomation.txt from RedLine)
* System Information (System Info.txt from Raccoon)
* Victim Location and Machine Details
* Operating System Information
### Advanced Features
* Utilization of specific `attack_build_id` strings that often reference Telegram channels (e.g., ‘@mach***’, ‘@+uuz8-qluneu2***’), suggesting sophisticated tracking and management infrastructure often leveraging Telegram for C2 or distribution coordination.
* Injection into or copying files to **.NET Framework-related paths (68.2% of paths)**, indicating a strong focus on maintaining persistence or evading detection within common application framework directories.
* Exploitation of legitimate Windows processes for injection: `regasm.exe` (44.3%), `bitlockertogo.exe` (13.8%), and `msbuild.exe` (9.2%).
## Indicators of Compromise
(Note: Specific IPs/Domains are not provided in the context, only file/path observations.)
- File Hashes: N/A (Specific hashes not listed)
- File Names: Inferred outputs include `UserInfomation.txt`, `System Info.txt`, `information.txt`.
- Registry Keys: N/A
- Network Indicators: N/A (Though C2/management heavily uses Telegram infrastructure inferred from build IDs).
- Behavioral Indicators:
* Process Injection targeting processes like `regasm.exe`, `bitlockertogo.exe`, and `msbuild.exe`.
* File/data staging occurring in user temporary folders (8.7%) and Windows system paths (21.5%).
## Associated Threat Actors
Threat actor groups were categorized based on their usage of unique `attack_build_id` tags:
* Independent Groups (e.g., ‘@mach***’, ‘@sup_n***’)
* Russian-speaking Groups (e.g., “russia ***”, “@dmitriylo***”)
* Cloud-based Groups (e.g., “@watercloud_ad***”, “@prdscloud_m***”)
## Detection Methods
- Signature-based detection would target known malware file hashes and specific malware binary names associated with RedLine, Raccoon, Vidar, or Meta stealer.
- Behavioral detection is crucial to monitor:
* Unauthorized process injection into legitimate Windows binaries (`regasm.exe`, `msbuild.exe`).
* File creation or modification within .NET framework installation directories.
## Mitigation Strategies
- Implementing strict application control policies to prevent execution from user temporary folders.
- Enhancing monitoring on legitimate system processes (e.g., `regasm.exe`, `msbuild.exe`) for anomalous child processes or injection activities.
- Educating users on the dangers associated with third-party software/logs potentially sourced from darkweb or Telegram channels.
## Related Tools/Techniques
* RedLine Stealer
* Raccoon Stealer
* Vidar Stealer
* Meta Stealer