Infostealer Logs Analysis Report
Notice
The Infostealer Logs analysis report is a report that analyzes various Infostealer logs (RedLine, Raccoon, Vidar, Meta, etc.) collected from the deep and dark web including Telegram. Please note that the source and content of the report cannot be verified in part.
Infostealer Logs Analysis Report
Introduction
The purpose of this report is to provide a comprehensive insight into the cyber threat environment by conducting a deep analysis of the log data stolen by Infostealer malware. Unlike other reports that cover the analysis and trends of Infostealer malware, this report is based on the data of the actual infected systems to derive threat actors’ strategies, types of damages, and effective response measures. This report also analyzed 28,248,895 infection cases worldwide to identify the characteristics and patterns by region, system, and user type.
1) Data Overview
This report analyzes the Top 30 items among 9 key data fields extracted from the log files collected by Infostealer malware from August to October 2024 (RedLine – UserInfomation.txt, Raccoon – System Info.txt, Vidar – information.txt, etc.). While the entire log file contains more information, the Top 30 data items from the 9 key datasets were selected as the analysis target to clearly identify the threat actor’s strategies, the patterns of damages, and the effective response measures.
|
Data |
Description |
| attack_build_id | Build identifier of the malware |
| attack_file_path | Process injected by malware and copied file path |
| victim_pc_av | Targets PC anti-virus information |
| victim_pc_country | Nationality of the target |
| victim_pc_location | Detailed location (city) of the target |
| victim_pc_machinename | Name of the affected PC |
| os_name | Operating system information of the target PC |
| user_type | User type (individual/company) |
| victim_pc_username | Victim’s username |
Table 1. Datasets used in the analysis
The Top 30 data for each dataset are the items that show the highest frequency in each field and can represent the main patterns and trends of the entire data. Through this data selection, the main features of the logs and the damage patterns caused by Infostealer malware have become even clearer. Although only a portion of the entire dataset was analyzed, it was deemed to have sufficient statistical significance to derive the trends and countermeasures against Infostealer malware over the past three months.
1) Main Analysis Results
(1) Attacker Profiling
According to the analysis of the attack_build_id, the Top 3 builds are ‘@mach***’ (2,294,689 posts), ‘@+uuz8-qluneu2***’ (1,687,579 posts), and ‘russia ***’ (1,215,748 posts). It is worth noting that a significant number of build IDs include the name or ID of a Telegram channel. This suggests that threat actors are using Telegram as a means to track and manage their activities.
Threat actors can be broadly categorized into Russian-speaking groups (“russia ***”, “@dmitriylo***”), Cloud-based groups (“@watercloud_ad***”, “@prdscloud_m***”), and Independent groups (“@mach***”, “@sup_n***”).
Figure 1. Top 10 threat actor build IDs of InfoStealer malware
(2) Analysis of Targeted Processes and Infection Paths
Through the analysis of the attack_file_path, the distribution of the main target paths (injection and copying itself) was identified. .NET Framework-related paths accounted for the highest proportion at 68.2%, followed by Windows system paths (21.5%), user temporary folders (8.7%), and others (1.6%). In particular, legitimate system files such as regasm.exe (44.3%), bitlockertogo.exe (13.8%), and msbuild.exe (9.2%) were mainly exploited as target processes for injection. For more information, refer to 4) In-Depth Analysis and Insights – (2) Patterns of Exploiting Injection in Legitimate Processes.
