Introduction
A comprehensive analysis of information-stealing malware logs found on the dark web has uncovered thousands of individuals involved in the consumption of child sexual abuse material (CSAM). This discovery highlights the potential use of such information in combating severe crimes.
Key Findings
According to a proof-of-concept (PoC) report published by Recorded Future last week, approximately 3,300 unique users were identified with accounts on known CSAM sources. Notably, 4.2% of these users had credentials for multiple sources, indicating a higher likelihood of criminal behavior.
Rise of Info-Stealer Variants
Over recent years, off-the-shelf info-stealer variants have emerged as a widespread threat. These malware strains target various operating systems to siphon sensitive information such as credentials, cryptocurrency wallets, payment card data, and screenshots. Prominent examples include Kematian Stealer, Neptune Stealer, 0bj3ctivity, Poseidon (formerly RodStealer), Satanstealer, and StrelaStealer.
Distribution and Impact
Info-stealer malware is commonly distributed through phishing campaigns, spam emails, cracked software, fake update websites, SEO poisoning, and malvertising. The data harvested by these programs typically ends up on the dark web in the form of stealer logs, which are then purchased by other cybercriminals to further their schemes.
The Corporate Risk
Flare's report from July highlighted the increased risk of infection due to employees saving corporate credentials on personal devices or accessing personal resources on organizational devices. A complex ecosystem exists where malware-as-a-service (MaaS) vendors sell info-stealer malware on illicit Telegram channels, threat actors distribute it via fake cracked software or phishing emails, and logs from infected devices are sold on specialized dark web marketplaces.
Detailed Analysis of CSAM Credentials
Recorded Future's Insikt Group identified 3,324 unique credentials used to access known CSAM domains between February 2021 and February 2024. This information helped unmask three individuals maintaining accounts on at least four websites. The presence of cryptocurrency wallet addresses in stealer logs can potentially be used to determine if these addresses have been used to procure CSAM or other harmful material.
Geographic Distribution
The analysis revealed that countries such as Brazil, India, and the U.S. had the highest counts of users with credentials to known CSAM communities. However, the company cautioned that this could be due to overrepresentation in the dataset sourcing.
The Ongoing Threat
The report emphasized that info-stealer malware and stolen credentials are expected to remain integral to the cybercriminal economy due to the high demand from threat actors seeking initial access to targets. Recorded Future has shared its findings with law enforcement agencies to aid in their efforts to combat this issue.
Conclusion
Info-stealer logs offer significant potential for investigators and law enforcement partners to track child exploitation activities on the dark web. Despite the challenges in tracing such activities, the insights gained from these logs can provide valuable information in the fight against CSAM and other serious crimes.
0 Comments