10-25, 09:00–09:30 (Europe/Luxembourg), Europe - Main Room
Infostealers are a type of malware designed to secretly collect sensitive information from infected devices. They create stealer logs with valuable data such as login credentials. These malware communicate with Command-and-Control (C2) servers, which direct their actions and receive the stolen data. These stolen logs are highly valuable, forming the basis of a profitable underground market where cybercriminals sell and trade this information.
But what if C2 operators also fell victim to their own skim : the biter bit. In this presentation, we will dive into stealer logs of C2 operators, who have infected themselves accidentally with infostealer malware, to uncover hidden C2 infrastructure and their backstage. Join us as we expose the unexpected vulnerabilities within the cyber underworld.
Through a meticulous investigation of stealer logs, an ironic twist in the cyber threat landscape has been unveiled: C2 operators falling prey to their own skim. In this presentation, we will explore stealer logs of (C2) operators, offering an unparalleled opportunity to delve into the backstage of cybercriminal networks.
By analyzing these compromised logs, we have uncovered detailed information about the hidden criminal infrastructure operated by C2 operators. The captured data includes sensitive details such as computer information, browser autofill content, usernames and passwords, and active browser cookies. Notably, we have identified numerous logs containing cybercrime credentials, revealing the administrative access to various C2 platforms and databases.
The investigation highlighted five specific C2 operators, exploring their use of different malware families, locations, and operational tendencies. One operator stood out: "The Dutch Man," also known as the Malware Maestro, who demonstrated sophisticated management of multiple malware types, including Private Loader, Mystic, Asuka, and Raccoon Stealer, forming a versatile malicious ecosystem.
Join us as we dive into the trail of the cybercrime ecosystem provided by the threat actors’ own compromise. This talk will provide invaluable insights into the operation of a versatile malicious ecosystem, highlighting the complexity of C2 networks. Discover how analyzing stealer logs from operators associated with known C2 IPs can uncover and allow the study of hidden criminal infrastructure, identify new, previously unknown, C2 endpoints, and create indicators of compromise (IOCs).
Estelle is a Threat Intelligence Researcher at Flare. Having recently completed a master at University of Montreal, she is a criminology student who lost her way into cybercrime. Now she is playing with lines of codes to help computers make sense of the cyber threat landscape.