Threat Spotlight: Infected Devices & the Growing Threat of Stealer Malware 

Executive Summary

  • Infected Device Markets continue to grow on both the dark and clear web. Essentially these markets sell access to infected computers & browser fingerprints that can be used by threat actors to compromise online accounts.
  • Even unsophisticated threat actors can purchase browser fingerprints for as little as $10, and gain access to hundreds of unique logins stored in the browser, and the potential to bypass corporate 2FA Controls
  • Monitoring for these listings manually is almost impossible, traditional approaches to dark web monitoring are often ineffective for finding IOC’s related to infected device markets
  • We expect infected device markets to continue to scale and become an increasingly important reason to conduct extensive monitoring of the dark & clear web.

The Details

Monitoring illicit communities is not a new concept for information security teams. Most organizations with a mature information security program already monitor dark web markets and forums to identify third-party exposure, stolen corporate credentials, and malicious actor TTP’s. However the increasing popularity of infected device marketplaces pose an entirely new challenge and set of opportunities for security professionals. 

Launched in late 2018, Genesis Market showed great potential, as it was the very first marketplace focused on digital identities. At a basic level, Genesis market (and later Russian Market) sell access to browser fingerprints of computers that have been infected with malware. This service enables the purchaser to mimic the fingerprint of the victim’s browser, gaining access to dozens, or even hundreds of credentials stored in the browser, and in many cases the ability to bypass 2FA controls. 

Monitoring infected device marketplaces isn’t always simple, since there is very little identifiable information listed that can be used to automatically detect corporate accounts that could be potentially listed. An average listing contains:

• The country where the bot is located

• The number of resources attached to the bot

• The number of browsers from which information was stolen (Fingerprints)

• The date on which the bot was installed, and last updated

• A partial IP address

• The operating system of the bot

• A list of all resources available

Even more concerningly, these markets have commoditized and simplified their offerings to enable even unsophisticated threat actors to utilize fingerprints. As can be seen in the image below, downloading a fingerprint is as simple as shopping at Walmart. Marketplaces even provide detailed guides and tutorials on how to use the bots to successfully execute attacks.

Most, but not all listings are focused on individuals with access to banking & financial services accounts that threat actors can exploit. However, a significant portion of listings, especially on Russian Market, are Windows 10 Enterprise devices indicating that a substantial number of offerings are likely to be corporate computers that could hold logins to high-value internal corporate accounts and environments. 

How Flare can Help

Monitoring infected device markets doesn’t have to be difficult or manual. Both Russian Market & Genesis Market can be effectively monitored by searching for devices that have access to corporate subdomains or other sites that only a corporate computer from your organization would be accessing (given that there are over 400,000 listings on just one marketplace, automation is pretty key here!). This can enable you to rapidly detect IOC’s and work to narrow down specific devices based on partial IP ranges provided in the listing.

Flare provides a unified approach to:

  • Identifying external threats across the clear & dark web, including infected devices, leaked credentials, data leaks, and other threats
  • Conduct detailed investigations on malicious actors that may have listed IOC’s associated with your organization
  • Understanding your organization’s external data exposure (digital footprint) with prioritized recommendations for remediation.

Discover how Flare can simplify identifying Infected Device Monitoring with a Free Trial.

Interested in learning more? You can check out our full (ungated) report on the Stealer Malware Ecosystem here.