Free the Connect: Chapo’s “Stealer Log Bible” Exposed

While much has been written about the infostealer pandemic – and how these infection chains are often precursors to ransomware attacks – the specific actions threat actors take to operationalize and monetize stolen credentials are not broadly understood. This blind spot is significant because infostealers were the primary intrusion vector for 61% of all data breaches in 2023, according to vendor research. This report tracked a staggering 343 million user credentials compromised by infostealers last year.

Infostealers are relatively primitive malware binaries designed to harvest credentials and other digital fingerprints from unsuspecting victims. While the malware itself is generally basic, the techniques threat actors use to spread infostealer malware and target corporate users can be sophisticated. Common infostealer infection vectors include the downloading of pirated software from malicious websites, streaming video and TV content accessed via torrent services, malvertising, and black SEO techniques that exploit typosquatted domains.

Once the infostealer detects specified logs within infected systems, it beacons them back to a command and control (C2) server controlled by threat actors. In this threat landscape, an entire ecosystem has emerged on the Dark Web, Telegram, and Discord channels dedicated to the buying and selling of stealer malware and related logs (login credentials and other uniquely identifying digital fingerprints). While the majority of infostealers are designed to target Windows systems, there has been a notable increase in MacOS-focused stealers over the last year.

Notable data breaches linked to infostealer infection chains include Snowflake, Orange Spain, AirBus, and Uber. According to Hudson Rock research, threat actors who have gained infamy for their use of infostealers include the recently doxed USDoD, Sp1d3rHunters, IntelBroker, Lapsus$, and Andariel.

But once threat actors of this sort obtain logs from popular stealers like Vidar, Racoon, and Redline, how exactly do they weaponize these stolen credentials? A recent tutorial posted on the revamped Breach Forums by threat actor ‘Chapo’ purports to shed light on this largely unexplored topic.

How to Monetize Logs in 2024

Chapo published the post titled “(FULL GUIDE) Stealer Logs Bible | How To Monetize Your Logs In 2024” on August 8, 2024. Chapo is an MVP-level member of the forum, indicating that he is one of the higher- reputation threat actors in the Breach community. The threat actor’s post specifically focuses on monetizing logs obtained from Redline stealer malware infections.

Chapo teaches noobs how to monetize their logs, Source: Breach Forums

Redline is an infostealer that was first released in February 2020. This stealer was “cracked” shortly after its release, enabling threat actors to access pirated versions of the malware and circumvent related licensing and subscription fees. In the May 2022 XSS forum post below, threat actor “Babylonian” provides community members with an introduction to the Redline Stealer and diagrams the evolution of Redline-enabled infostealer campaigns.  

Deep Dive into Redline Stealer: Leaking Credentials with WCF, Source: XSS

Per Babylonian’s guide, Redline Stealer is “mainly distributed through phishing emails or malware disguised as installation files, such as Telegram, Discord, and cracked software. However, more recently, a phishing link has been used to download a Chrome extension containing Redline Stealer by abusing the description of YouTube videos and Google Ads , or a Python script is distributed that runs Redline Stealer via FTP.”

According to recent vendor research, RedLine is one of the three most popular stealer families observed in the wild today. Redline alone accounted for “over 170 million compromised passwords in the six months between October 2023 and March 2024,” according to this report.

Redline stealer Telegram channel, Source: Telegram

As the reader can see from the screenshot above, Redline’s “cloud of logs” pricing schedule ranges from $100 to $490 per month, depending on the user’s subscription tier.

Per Bank Info Security reporting, cloud of logs services entail “vendors offering subscription access to a library of the vendor’s logs, typically hosted on a private cloud-based forum or made accessible via Telegram and frequently updated.” However, recent grumblings on the Dark Web suggests some threat actors are disenchanted with the log cloud model, a topic Paranoid Lab will address in the last section of this report.

In his post, Chapo writes “Redline is a paid tool that got cracked and was used by most of the hackers looking to steal data in the last few years. Another important point is that most checkers and tools was made based on redline, this means if you’re using another stealer format, some tools will not be able to work with your log.”

Check Yourself Before You Wreck Yourself

Per Recorded Future, checkers are “automated tools (scripts or software) used by cybercriminals to check the validity of user login credential combinations in bulk. Checkers may use the website’s main page, mobile app, or an application program interface (API) function to identify valid accounts.”

Checkers are frequently used in combination with infostealer logs to conduct credential stuffing attacks. Credential stuffing is a type of brute force attack where adversaries take user credentials exposed in a data breach and then use an automated script programmed to run those credentials across one or more targeted services where that victim is believed to have an account. In these attacks, threat actors are specifically checking for password reuse. The financially catastrophic 23andMe breach is a prime illustration of this brute-force typology.

Thus, Recorded Future notes that checkers “automate and commoditize credential-stuffing attacks for easier and faster ways of gaining access to user accounts and personally identifiable information (PII). In fact, checkers may outnumber legitimate login attempts by a factor of greater than four to one.” Checkers are also used by threat actors focused on the crypto niche to ascertain the deposit balances of targets’ cryptocurrency accounts.

Meanwhile, Chapo’s post notes that logs can have “different info based on what the victim used. Not all victims will have Critpo [sic[ wallets, so not all Redline logs will have wallets and so on. You can always aim for a niche while spreading to get better chances of finding what you looking for.”

Additionally, Chapo advises that the “country is important too. If you’re aiming for banks, wallets, etc, aiming for rich countries such as US, UK, CA is a good idea. Now if you’re aiming for social media for example, maybe aiming for India, Brazil, will be better.”

Most Valuable Log Data

Regarding the most valuable user data contained in logs, Chapo specifies the following:

• Browser logins and passwords

• Browser cookies

• Browser saved credit cards (without CVV, you can try to find on autofills.txt, but small chance)

•  Steam account SSFN files

•  Telegram/Discord session (Telegram session/Discord token)

•  Crypto wallets (from browser and app)

•  VPN clients

•  FTP clients

These classes of log data have different applications for various kinds of financial frauds and ransomware attacks. For example, browser cookies and stored credit card data would be most favored by threat actors looking to conduct bank fraud or to access high-value personal accounts.

VPN credentials, meanwhile, would be most favored by ransomware actors seeking to gain an entry point into corporate networks. Steam and Discord session data would be most desirable to threat actors looking to conduct frauds that have a nexus to gaming or crypto.

As for FTP logs, threat actors can program their infostealers to scan documents, excel files, and PDFs for specified key words that may be indicative of highly sensitive organizational data, or the usual personally identifiable information (PII) like names, birthdays, social security numbers (SSNs), and payment card data. Additionally, threat actors can use FTP logs to access related web resources and install malicious web shells inside them that can enable them with remote access to the FTP server for deeper exploitation.

BLTools

When it comes to monetizing log data, Chapo again emphasizes the value of checker services. Chapo writes “I highly recommend you getting a checker. You can use BLTools, it’s great, checks all cookies sessions and gives you detailed info from what it finds.

If you’re not going for the checker, the process will be manual, open the cookies.txt file from your logs and find the URL of some good sites you’re able to monetize (Instagram, YouTube, casinos, Twitch, Twitter, Steam, PayPal, Google Pay, banks, etc).”

BLTools is a checker developed by a threat actor who goes by the alias ‘Twizzy’ on the XSS cybercriminal forum. Twizzy released their latest checker version, BLTools v2.9, in March 2024. According to an XSS post advertising this release, the update includes the following new features:

• Added Steam inventory value check

• Added sorting of accounts with Knives, Gloves. (Steam)

• Added check for active sale lots (Steam)

• Corrected check Community Ban, VAC Ban (now displays the name of the game) (Steam)

• Added check for Prime CS2 (Steam)

• Updated notifications in Telegram about the end of work. Now you only need to specify the recipient’s UserID.

Twizzy announces BLTools checker v2.9 update, Source: XSS

BLTools’ emphasis on Steam updates in its latest version release speaks to the rising value of the online gaming market and the digital assets exchanged therein. Cybercriminals are thus targeting this sector accordingly. Per recent research from Kaspersky, “criminals target game accounts to steal valuable items, such as real money, in-game currency, and various in-game items, such as expensive skins. Steam accounts seem to be more appealing to cybercriminals due to the potential to find and steal real money on them.”

Get Your Cookies

After running logs through a checker and pinpointing vulnerable accounts, Chapo instructs his readers to “open your cookies file and copy everything in there. Don’t worry about using cookies from multiple sites at the same time, they’ll be ignored when importing on your browser. Your cookies file should look like this:”

Chapo’s Cookie File, source: Breach Forums

Chapo notes that the type of cookie displayed above has the “Netscape format.” But to import this file on their browsers, Chapo advises his readers to convert the file to JSON using the “cookie converter” service on accovod.com. Accovod is an antidetect browser that has legitimate uses for digital marketers. However, these types of anti-fingerprinting applications are also commonly used by threat actors to conduct credit card and other online financial frauds. 

After converting the cookie file to a JSON format, Chapo advises readers to “download a browser extension to manage cookies and import it. Go to the site you’re trying to log in and open the extension while browsing this site. Clear all cookies you already had and import the cookies you just converted to JSON. After importing, refresh the page.

If all goes well, you’ll be logged into the account.”

But if the cookie doesn’t work, Chapo notes that it “probably expired or the site has a good security (most money-related sites such as casinos, banks, cookies don’t work) and that’s okay, go for the next one.”

After checking your cookies, Chapo tells his readers they’ll “find a few accounts (Instagram, YouTube, Twitch, Twitter, Steam, PayPal, Google Pay, etc). Social media logs are really easy to monetize, you can sell his account in marketplace, use it to make phishing with his contacts, blackmail, etc. Be creative. Some sites will have cards linked, you know what to do from here.”

Chapo also notes the challenges associated with onetime password (OTP) security controls. To overcome this 2FA hurdle, Chapo advises his readers to “use a clean browser, spoof all his browser data such as: user agent, IP (use a residential proxy close to him), cookies, browser, using some tools (just take some time and search about, it’s worth the time).”

In the event would-be threat actors are still getting an OTP notification, Chapo recommends that they buy an OTP bot. Chapo writes that the “bot will try to trick the victim by calling him and asking for the code. To find the victims phone number, search his emails, social medias (you can also trick his friends to send you the number), etc. If you’re a newbie, you could also try finding a professional cashouter to do the hard part. Just make sure you find someone you trust.”

While some Russian-language cybercriminal forum chatter suggests that the heyday of OTP bots is over and that they are “mostly useless” today, JokerOTP is one such service that is heavily promoted on various Telegram channels. Many of these channels are nodes within the Gen Z Comm threat actor ecosystem, which promotes sim swapping, swatting, crypto drainer scams, illicit cash outs, and general violence as a service (VaaS).

As the reader can see from the Telegram screenshot below, the JokerOTP service includes a voice API solution that “empowers” threat actors to “effortlessly create Interactive Voice Response (IVR) systems, while granting you the flexibility to utilize any caller ID.”

JokerOTP Bot product description, Source: Telegram

Monetizing Sessions

The next section of Chapo’s tutorial deals with monetizing sessions from Steam, Telegram, Discord and other channels. The dominant theme that emerges in this section is how hijacked social media and gaming accounts themselves can be converted by cybercriminals into monetizable assets.

Chapo’s Steam configs and SSFNs, Source: Breach Forums

Notably, Chapo dedicates a lot of the discussion in this section to Steam.  Commenting on the screenshot above, Chapo writes “the only important thing here is having 2 SSFN files, the rest is his Steam configs.” SSFN files are artifacts that enforce continuous device recognition by the Steam application, so users don’t have to verify their machine every time they log in.

To exploit Steam logs, Chapo instructs readers to “download Steam in your computer and go to the local Steam folder. As you can see, in this image there’s 2 SSFN files, that’s becauseIi [sic] already logged into my personal Steam account. In case you already logged into any account, you should delete all SSFN files from there before anything. Then, copy both SSFN files from your logs and paste in your local Steam folder. In case you have your Steam open, close it (make sure to have it closed using task manager) and open it again.

Try to login using his Steam login (you can find it at passwords.txt). If everything goes well, you’ll bypass his Steam Guard and log into his account.”

From there, Chapo tells his readers to “check everything, games, inventory (you can find some expensive items), etc. You can either sell his account online or manage to sell his inventory with legit item buyers.” The guide also highlights a similar playbook for Discord, Telegram, and crypto wallet accounts.

The Log Supply Chain Post-Genesis

Overall, Chapo’s “Log Bible” is an elementary-level guide for inexperienced threat actors new to the infostealer game. As Chapo’s post illustrates, most infostealer activity is geared towards relatively low-level account takeover (ATO) frauds focused on hijacking social media and online gaming accounts for resale on the Dark Web and cryptocurrency theft.

This cybercriminal supply chain also relies on teams of low-level “traffers,” which is derived from the Russian word “Траффер”  (also referred to as “worker” in the underground community), according to Sekoia research. These traffer teams are focused on redirecting targeted users’ web traffic to malicious content (malware, fraud, phishing, scam, etc.) generally operated by infostealer operators and customers. A quick scan of popular Russian cybercrime forums like XSS and Exploit reveals that fake traffic posts are among the most common vendor listings and customer solicitations in these communities.  

“To generate traffic, traffers lure users from legitimate or compromised websites to redirect them to a server, a website, or malicious content operated by the botnet owner,” according to Sekoia. This research also notes that more “sophisticated traffers make use of the Traffic Distribution System (TDS) to operate and redirect traffic.”

Increasingly, “numerous traffers join a team to distribute information-stealing malware on behalf of the team administrator(s),” according to Sekoia. In these teams, Sekoia notes that “traffers can both be highly skilled threat actors and newcomers in the threat landscape, as they usually get training sessions when hired by a team.” But just like Chapo’s tutorial, these traffer groups are generally a “gateway into the cybercrime ecosystem for newcomers,” according to Sekoia.

While most of these “noobs” are focused on lower-level social media ATO and crypto thefts, more sophisticated teams are targeting credentials for enterprise Salesforce, Slack, and Microsoft Office 365 accounts. More concerning, these savvier threat actors are increasingly targeting enterprise remote monitoring and management (RMM) logs like ConnectWise ScreenConnect and AnyDesk to conduct higher-level cyberattacks on corporate entities.

More sophisticated threat actors such as ransomware attackers and nation-state adversaries favor logs for these types of tools because access to workplace collaboration and RMM resources facilitate lateral movement and living-off-the-land tradecraft. The latter specifically enables threat attackers to conceal their malicious activity while blending in with normal application-level and network traffic.

Regardless, shockwaves from the 2023 Genesis market takedown continue to reverberate through the log supply-chain ecosystem to this day. Specifically, threat actors who are active in the illicit log market have complained about the log cloud model. On July 27, 2024, ‘Churk’, a threat actor who specializes in using compromised logs to target crypto investors via sim swapping and other methods, complains about the state of the market in the wake of the  Genesis Market takedown by the Federal Bureau of Investigation.

Per his post, Churk appears to be encountering difficulties finding a “decent vendor” of logs. “Genesis is dead more than one year, but I remember back earlier there were dozens of private sellers, selling logs from Redline, Raccoon, Luma… Now I can’t see one. Only log clouds, which are shared among many users, which makes them almost useless.” So, while logs may be proliferating via cloud subscription-based models, their growing mass accessibility has diminished their overall utility. In the end, it seems like Churk and other aspiring log exploiters need to find more concierge-level ‘connects.’ But in the cyber-underworld, you need to be a certified “вор” to find log plugs of that caliber.