Trends and Main Threats - Infostealers in Latam

JaimeAndrsBelloVieda 154 views 19 slides Aug 15, 2024
Slide 1
Slide 1 of 19
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19

About This Presentation

Talk provided in the BSides Colombia 2024 about the trending of infostealer malware in the Latin America region and a research of them in illegal markets - April 2024

Size: 10 MB
Language: en
Added: Aug 15, 2024
Slides: 19 pages

Slide Content

Trends and
Main Threats:
The Impact of the
Infostealers in the
LatamRegion

TitleHere
Contents
01The Rising Market of Infostealers and Valid Credentials
02Infostealerecosystemin Latamand Intelligencein Colombia
03Key informationoftop 3 InfostealersimpactingLatam
04Recommendations–Preventive & Reactive

Jaime Andrés Bello Vieda
ThreatIntel, Digital Forensics, Malware
Analysis, CloudSec, Pentesting…
GCFA, GCPN, CISM, CSX, PMP, IA-ISO27001
UniversityTeacher–Researcher–Speaker
Loverofnature, Musician
IBMer, X-ForceIncidentResponse
William Forero Cruz
IncidentResponse & Digital Forensics
CAFSC, CSX, DFIR, SFPC, CSFCP, CC.
Fiscal / Public/ Financialand Technology,
retail.
Cybersecurity, computerforensicsand IT risk
enthusiast.
IBMer, X-ForceIncidentResponse
This talk is presented
by…

Therisingof
infostealer
•Some forecasting
reports argued a
2023 trend of
Infostealers…
•…other studies
released in 2024
about what
happened in the
reality,
confirmed it
•Infostealer ->
Driver market of
credentials

Whatisan
infostealer
malware
Log/Information stealer
malware is a subset of Trojan
which collects data from the
compromised system and sends
it to the attacker.
https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/
Ifthereisan
offer…
It’sbecuase
thereisa
DEMAND!
Targets:
Login credentials, banking information,
browser information (cookies, history,
credentials vaults), crypto wallets.

•Social Engineering
techniques
•C2 devices–stolen
infotransferred
•Offeredin .onion
sites/forums,
Telegramchannels
Commonvectorsof
infection
DeliveryIncubation&CollectionTransferOffering/ Sale

Rising
Marketof
Credentials
Research of
leaked
credentials
market
driven by
Infostealers
in Latam
Changesin
themodus
operandi
Pivots to
Infostealers
instead of
exploitation
to access
environments
Infostealers
byCountry
and Company
Overall
study -Top
10 companies
according to
Mercoin
Latam
Proccesing&
Analysis
Resultsand
statistics
around
Infostealers
living in
theregion
Intelligence
insightsof
Top 3
Main
techniques
Operational
(in/ex)
filtration
methods.
Recommendations
Preventive &
Reactive
actionsto
avoidand
mitigate
thisthreat
ResearchMethodology

Intelligencein Action
Sources, Objectiveand StudyTargets
RussianMarket
Forumtobuyand sell
illegalproductsand
services, including
stolendata, malware,
hacking services,
Cardsand muchmore.
Telegram
Thesocial media App has
becomein a market
ecosystemtoshare and
Exchange lotsofcontents
fromilegal activities
includingInfostealerlogs.

NumberofDevicesAffectedby
Infostealersin Latam
México
Colombia
Brazil
Ecuador
Perú
Bolivia
Uruguay
Argentina
Chile
CountryNo. Infostealers*
Brazil3802
Chile2108
México1613
Argentina1599
Colombia1470
Perú1393
Uruguay1075
Ecuador1073
Panamá747
Bolivia732
Total15612
*Theanalysiswasconductedusingaperiodoftimebetween01/07/2023–31/12/2023

InfostealerNo Infostealers
Lumma4676
Racoon308
Redline4056
Risepro3675
Stealc358
Telegram1584
Vidar955
Total 15612
lumma; 4676;
30%
Racoon; 308; 2%
Redline; 4056;
26%
risepro; 3675;
24%
Stealc; 358; 2%
telegram; 1584;
10%
Vidar; 955; 6%
% OF PARTICIPATION LATAMDistributionofThreats
Latam
4676405636751584955
358308
1
10
100
1000
10000
lummaRedlineriseprotelegramVidarStealcRacoon
INFOSTEALERS LIVING IN LATAM

lumma; 309; 21%
Racoon; 28; 2%
Redline; 566; 39%
risepro; 372; 25%
Stealc; 21; 1%
telegram; 81; 6%
Vidar; 93; 6%
% Living Infostealers threat -COLOMBIA
lummaRacoonRedlineriseprostealctelegramVidar
lumma; 248; 18%
Racoon; 40; 3%
Redline; 396;
28%
risepro; 253; 18%
Stealc; 28; 2%
telegram; 338;
24%
Vidar; 90; 7%
% Living Infostealer threats -PERÚ
lummaRacoonRedlineriseprostealctelegramVidar
lumma; 173; 16%
Racoon; 11; 1%
Redline; 359;
33%
risepro; 387; 36%
Stealc; 29; 3%
telegram; 50; 5%Vidar; 64; 6%
% Living Infostealers threat -ECUADOR
lummaRacoonRedlineriseprostealctelegramVidar
lumma; 360; 22%
Racoon; 16; 1%
Redline; 524;
33%
risepro; 344; 21%
Stealc
; 29; 2%
telegram; 260;
16%
Vidar; 80; 5%
% Living Infostealer threats -MÉXICO
lummaRacoonRedlineriseprostealctelegramVidar
Statistics& Comparisons
Colombia, NearCountriesand Similar Cultures

lumma; 309; 21%
Racoon; 28; 2%
Redline; 566;
39%
risepro; 372; 25%
Stealc; 21; 1%
telegram; 81; 6%
Vidar; 93; 6%
% Living Infostealerthreats -COLOMBIA
lummaRacoonRedlineriseprostealctelegramVidar
lumma; 317; 20%
Racoon; 29; 2%
Redline; 532;
33%
risepro; 424; 27%
Stealc; 29; 2%
telegram; 184; 11%
Vidar; 84; 5%
% Living Infostealerthreats -ARGENTINA
lummaRacoonRedlineriseprostealctelegramVidar
lumma; 2203;
58%
Racoon; 37; 1%
Redline; 632;
17%
risepro; 499; 13%
Stealc; 18; 0%
telegram; 316; 8%
Vidar; 97; 3%
% Living Infostealerthreats -BRAZIL
lummaRacoonRedlineriseprostealctelegramVidar
lumma; 303; 14%
Redline; 326;
15%
risepro; 967; 46%
Stealc; 126; 6%
telegram; 161; 8%
Vidar; 222; 11%
% Living Infostealerthreats -CHILE
lummaRacoonRedlineriseprostealctelegramVidar
Statistics& Comparisons
Colombia, & DifferentCultures

Theecosystemofcredentials
Just Colombia…
BONUS, CredentialsofColombia’s
PublicEntities(gov.co)
2
41
33
21
123
155
17
497
1525125625
Company 1
Company 2
Company 3
Company 4
Company 5
Company 6
Company 7
Company 8
Company 9
Company 10
Credentialsleakedofthose1470 devices
0
0
Data fromJul 2023
toApr2024. The
Top 10 Merco’s
companiesin
Colombia shows
889credentials.
Data fromFeb
1st toApr17th,
forthegov.co
domains.
8449
credentials.
ColombiaDevicesaffected
Redline566
risepro372
lumma309
Vidar93
telegram81
Racoon28
Stealc21
Total1470
CompaniesinthischartdonotpreservetheMerco’stop10same
order…Intentionallychangedtoprotecttheirreputation:)
Thisdemonstratesthedifficultstatus
fortheGovernmentsector.

Descriptionand Characteristicsofthe
IdentifiedInfostealers
LummaStealerRedlineStealerRiseproStealer
Availablefrom:August 2022February2020 December2022
Nationality: RussianRussianRussian
Programming
language: C++ C++ C++
Distribution
Methods:
Infectedemail attachments,
maliciousonline advertisements,
social engineering, software
‘cracks.’, Discord(messagessent
viaDiscord), YouTube (cracksof
software).
Infectedemail attachments, malicious
online ads, social engineering, software
cracks
Infectedemail attachments, malicious
online advertisements, social
engineering, software ‘cracks.’,
Discord(messagessentviaDiscord),
YouTube (cracksofsoftware), Github
(cracksofsoftware)
Damage:
Stolenpasswordsand banking
information, identitytheft, Web
browsers, Wallets, and thevictim’s
computeraddedtoa botnet.
Collectsinformationlikepasswords,
creditcards, cookies, location, Web
browsers, VPN, FTPand more.
Additionally, RedLinecan be usedto
delivermore malware, likeransomware,
RATs, trojans, miners.
Collectsinformationlikepasswords,
creditcards, cookies, location,
Walletsbitcoins, and Web browsers.
Target:A widerangeofsystems, ranging
fromWindows 7 up to11.
A widerangeofsystems, rangingfrom
Windows 7 up to11.
A widerangeofsystems, rangingfrom
Windows 7 up to11.

LummaRisepro
Info
gathered
Markets
-
Sales
Redline

Redline
Administration& StealingOperations
https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-redline-stealer

Logs Redline
Example
https://www.neteye-blog.com/wp-content/uploads/2022/12/talk2_marketplace_giaimo.pdf

Recomendations
ToavoidbeinginfectedTomitigatetheimpactOtherrecomedations
Enforceanauthorizedsoftware
executionpolicy
Do notdownloadpiratedsoftware or
cracksand Installanti-virus software
onalldevices
Train userstobe awareofphishing
threatsand implement2FA.
Hunt orblock stealer-related
indicatorsofcompromise(IoCs).
Isolatetheinfectedmachine and remove
thethreat.
Performananti-malware scanonthe
infectedhost tovalidatethatno
persistencemechanisms
Resetpasswordsand sessioncookies,
block creditcards.
If passwords are stored in web
browsers, it is necessary to renew
them.
ConstantlysearchtheDeep&DarkWeb
forthisinformation.Includetelegram
channels,fórumsandillicitchannels.
Helpimplementallofthese
recommendationsatyourworkandyour
home.
“UnderstandinghowInfostealersare distributedand howthey
workisthefirststep towardsprotectinga company’soran
individual’sinformationsystemfromthisthreat”
Store passwords securely, Not in their
browser.

ThanksForWatching
www.bsidesco.org
@avechuch0
@Lj10William
Tags
malware cybersecurity hacking bsideslatam threat intelligence
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 154
  • Slides 19
  • Age 479 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
53 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
50 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
40 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
39 views
Know for Certain 21
Know for Certain
DaveSinNM
24 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
28 views
View More in This Category