Combating CSAM with Malware

Analyzing information-stealing malware logs from the dark web has revealed thousands of consumers of child sexual abuse material (CSAM), highlighting how this data can be instrumental in combating serious crimes.

"Approximately 3,300 unique users were identified with accounts on known CSAM sources," stated a proof-of-concept (PoC) report by Recorded Future. "A significant 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior."

Introduction to Info-Stealers

Info-stealers are a type of malware specifically designed to capture sensitive information from infected devices. These can include login credentials, cryptocurrency wallet addresses, payment card details, and even screenshots of the user's activities. These malicious programs have become a pervasive threat in the cybersecurity landscape due to their effectiveness and ease of deployment. For example, the Emotet malware is known for its info-stealing capabilities and has caused billions in damages globally. Once an info-stealer infects a device, it silently operates in the background, collecting data and sending it back to the attacker. According to a report by Symantec, info-stealers have targeted over 600,000 devices worldwide in 2022 alone. This stolen data is often sold on the dark web, where other cybercriminals can purchase it for their nefarious activities. The rise of info-stealers has made it increasingly difficult for individuals and organizations to protect their sensitive information. Understanding how these malware variants work is crucial for developing effective defense strategies. Moreover, the impact of info-stealers extends beyond financial loss, as they can also be used to facilitate other crimes, such as identity theft and corporate espionage. By studying info-stealer logs, cybersecurity professionals can gain valuable insights into the methods and targets of cybercriminals.

The Threat of Info-Stealers

Over recent years, off-the-shelf info-stealer variants have become a pervasive and ubiquitous threat, targeting various operating systems to siphon sensitive information such as login credentials, cryptocurrency wallets, payment card data, and even screenshots.

These malware strains include Kematian Stealer, Neptune Stealer, 0bj3ctivity, Poseidon (formerly known as RodStealer), Satanstealer, and StrelaStealer.

Case Studies

One of the most compelling case studies involves the use of info-stealer logs to identify and apprehend CSAM offenders. In one instance, Operation Pacifier led by the FBI used data from the dark web, including info-stealer logs, to track down and arrest 900 individuals involved in CSAM. This operation also resulted in the rescue of 296 children. By analyzing the logs, investigators uncovered a network of offenders, leading to multiple arrests and the shutdown of several illegal websites. Another case highlighted the role of info-stealers in a large-scale phishing operation. The malware logs provided detailed information about the victims, including their banking credentials and personal data. This allowed authorities to not only catch the perpetrators but also to warn and assist the victims before further harm could occur. These case studies demonstrate the powerful potential of leveraging malware data to combat serious crimes. They also underscore the importance of cross-agency collaboration and the need for ongoing vigilance in the fight against cybercrime.

How Info-Stealers Operate

These malicious programs are distributed through various methods, including phishing emails, spam campaigns, cracked software, fake update websites, SEO poisoning, and malvertising. Data harvested by such programs often ends up on the dark web in the form of stealer logs, which are then bought by other cybercriminals to advance their schemes.

"Employees regularly save corporate credentials on personal devices or access personal resources on organizational devices, increasing the risk of infection," noted Flare in a report last July.

The Malware-as-a-Service Ecosystem

A complex ecosystem exists where malware-as-a-service (MaaS) vendors sell info-stealer malware on illicit Telegram channels. Threat actors distribute it through fake cracked software or phishing emails and then sell infected device logs on specialized dark web marketplaces. This ecosystem facilitates the proliferation of stolen data and supports various criminal activities.

Unmasking Criminals with Data

Recorded Future's Insikt Group identified 3,324 unique credentials used to access known CSAM domains between February 2021 and February 2024. This led to the unmasking of three individuals who maintained accounts at no fewer than four websites.

The inclusion of cryptocurrency wallet addresses in stealer logs means these logs can be used to determine if the addresses have been involved in procuring CSAM or other harmful materials. This data can provide critical leads for law enforcement agencies.

Geographic Distribution of CSAM Consumers

Countries like Brazil, India, and the U.S. had the highest number of users with credentials to known CSAM communities. However, this could be due to an "overrepresentation due to dataset sourcing," as noted by the report.

The Future of Info-Stealers

"Info-stealer malware and stolen credentials are expected to remain central to the cybercriminal economy due to the high demand from threat actors seeking initial access to targets," the report concluded. Findings have been shared with law enforcement to aid in ongoing investigations.

Using Info-Stealer Logs for Investigations

"Info-stealer logs can be leveraged by investigators and law enforcement partners to track child exploitation on the dark web and provide insight into a part of the dark web that is particularly difficult to trace," the report added. This approach highlights the potential for using cybercriminal data against them to combat serious crimes effectively.

Other Considerations

Using stolen data to combat crime raises several legal and ethical questions. On one hand, the information obtained from malware logs can provide critical leads for law enforcement and help bring offenders to justice. For example, the Electronic Frontier Foundation has discussed the balance between privacy rights and the need for surveillance in such cases. On the other hand, there are concerns about the legality of using data that was obtained illegally, even if the end goal is to prevent further crime. Legal frameworks vary by jurisdiction, and what is permissible in one country may be prohibited in another. Additionally, there are ethical considerations regarding privacy and the potential for misuse of the data. It is essential for law enforcement agencies and cybersecurity professionals to navigate these issues carefully. Developing clear guidelines and protocols can help ensure that the use of such data is both effective and ethical. Open dialogue with legal experts and ethicists can also provide valuable perspectives and help balance the need for security with respect for individual rights. For instance, in the Carpenter v. United States case, the Supreme Court ruled on the limitations of digital surveillance, highlighting the complexities involved.

Prevention and Mitigation

Preventing and mitigating the impact of info-stealers requires a multi-faceted approach. Individuals should practice good cybersecurity hygiene, such as using strong, unique passwords for each account and enabling two-factor authentication. According to Google's research, two-factor authentication can block up to 99.9% of automated attacks. Regularly updating software and avoiding suspicious links or downloads can also reduce the risk of infection. For organizations, implementing robust cybersecurity measures is crucial. This includes deploying advanced anti-malware solutions, conducting regular security audits, and providing ongoing training for employees. According to the Ponemon Institute, the average cost of a data breach in 2022 was $4.35 million, underscoring the importance of preventive measures. Additionally, companies should establish clear policies for handling sensitive information and ensure that these policies are consistently enforced. By taking these steps, both individuals and organizations can significantly reduce their vulnerability to info-stealers and other cyber threats.

Additional Resources for Newcomers

For those new to cybersecurity or the dark web, understanding these threats and how they operate is crucial. Here are some additional resources to explore: