I’ve been dabbling in OSINT for quite a while during my career, mostly for attributing the anonymous heroes of the internet and, briefly, as a professional conducting investigations and selling intelligence. This journey led me to cross paths with Carlos, a hyperactive figure in the world of OSINT. In our discussions in regards of stealer logs and the fascinating potential of analyzing that raw data in Splunk, he got me a great source for logs and I found myself diving into my IDE to build a parser to get those logs into Splunk.
For those of you that don't know what stealer malware is or what they do, there are many resources out there describing what they do and how they operate. To make your life easier: https://flashpoint.io/blog/evolution-stealer-malware/ Stealer logs are the actual data that is exfiltrated by the malware.
What began as a simple directory parser evolved into a multi-threaded, 2000-line behemoth capable of parsing thousands of records into Splunk, Atlas (which turned out to be quite costly after an ineffective snafu on my part), and MongoDB Community Edition, just for kicks. I'll dive deeper into this topic later, especially after a full rewrite of the code, now that I have a clearer vision of its purpose.
The data in Splunk is incredibly rich, a goldmine for those of us who practice SplunkFu and love crafting dashboards. Therefore, I thought it'd be valuable to share some key findings from this dataset that I've managed to get my hands on. The data is predominantly sourced from the Redline family of malware. Which originates from a public Telegram channel. We have eyes on other families like Lumma2C, Meta stealers Racoon and Mars, all in public Telegram channels.
The current dataset is credential orientated, I have not parsed any cookie, credit card or crypto wallet inform
Overview of the Dataset and Preliminary Observations
The dataset, primarily consisting of records from the Redline family of malware, has been meticulously parsed to extract significant amounts of data. The process has identified 1,411,071 compromised credentials originating from 19,374 infected machines and has unveiled 37,934 leaked documents of various types. While the data provides an extensive overview, preliminary analysis suggests a potential correlation between malware infections and the use of unauthorised software. However, further research is required to substantiate this hypothesis.ation, that's going to be part of the next itteration.
Operating System
The distribution of operating systems among the infected machines provides an interesting insight. Seeing a lot of Windows 7 is not a surprise if we look at browser versions etc. The predominance of Windows 10 Enterprise x64 however is noteworthy.
Comments