The proof of concept was carried out in such a way that we collected approximately 4Tb of logs extracted from infostealer malwares such as Redline, Racoon, etc. This data was parsed so that we could identify .onion sites and then analyze all the files and credentials extracted from the equipment that accessed these sites and that had credentials collected. The final result of this analysis demonstrates that it was sometimes possible to identify the legitimate profiles of threat actors on social networks, government sites, financial institutions, among others. The set of exfiltrated files together with the information extracted from the infected device can serve as inputs to validate evidence in the case of a computer forensic action. The logs obtained were all extracted from public channels and groups of WhatsApp, Telegram, Forums, among others. We did not produce any malicious artifact nor did we infect any devices. Thus we conclude that even though the Threat Actors use OPSEC methods, they are also susceptible to the same technological and procedural threats, such as the lack of implementation of 2FA in platforms.
Thiago Bordini, Head Cyber Threat Intelligence at Axur, executive with more than 20 years of experience in the cyber intelligence market, working with analysis and prevention of cyber threats and fraud and dissemination of educational content on the subject to professionals and companies. Technical coordinator and postgraduate professor at IDESP.
Speaker at several national and international events such as YSTS, EkoParty,
H2HC, Security BSides LasVegas, SANS, HTCIA, CoronaCon, 8.8 Andina and Brazil, among others.
Member of the Security BSides Sao Paulo/Brazil organization.