# Detecting and Fingerprinting Infostealer Malware-as-a- Service platforms **[blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html](https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html)** BushidoToken Cyber threat intelligence largely involves the tracking and studying of the adversaries outside of your network. Gaining counterintelligence about your adversaries' capabilities and weaponry is one of the final building blocks for managing a strong cyber defense. In the pursuit of performing this duty, I have been studying how to discover adversary infrastructure on the internet. One good way of doing this has been via leveraging the scan data available through the popular Shodan search engine. If you've not used it before, Shodan periodically scans the entire internet and makes it available for users to query through. It is often used to monitor networks, look for vulnerabilities, and ensure the security of an organization's perimeter. But we can also use Shodan for tracking the adversaries. Through the process of fingerprinting - that is to identify unique attributes of IPs on the internet - we can find command and control (C2) servers and login panels belonging to cybercriminals online. ----- Through this process, I was able to identify dozens of infostealer control panel login pages, as well as three infostealer malware families, called Titan Stealer, Patriot Stealer, and Raxnet Stealer, that have not yet been reported elsewhere online (as far as I could tell). It all started by [searching http.html:"stealer" in Shodan. This revealed several login pages](https://www.shodan.io/search?query=http.html%3A%22stealer%22) [for known and unknown infostealer malware. I have since created a page on my GitHub repo](https://github.com/BushidoUK/OSINT-SearchOperators/blob/main/ShodanAdversaryInfa.md) to share some Shodan dorks that help reveal adversary infrastructure. **Misha, Collector, and Titan Stealer** The above Shodan dork revealed dozens of IPs, which if investigated were found to be login panels for infostealer malware families. Misha Stealer and Collector Stealer are two semi well-known malware families. The "Titan Stealer" panel appears to be new with apparently no references online, vendor reports, or social media mentions by other researchers. Looks like one we should track in my books. **Grand Misha (aka Misha Stealer)** Shodan Dork ----- http.title: misha http.component: UIKit URLscan Query https://urlscan.io/search/#filename:%22misha.css%22 https://urlscan.io/search/#task.tags:%22misha%22 **Collector Stealer** Shodan Dork http.html:"Collector Stealer" http.html:"getmineteam" URLscan Query https://urlscan.io/search/#task.tags:%22collector%22 **Titan Stealer** Shodan Dork http.html:"Titan Stealer" URLscan Query https://urlscan.io/result/daca0fcd-bbc9-48c8-810d-89fee466b639 **Patriot Stealer** The same Shodan Dork http.html:"stealer" also revealed an unreported and new Malwareas-a-Service (MaaS) platform marketing itself as "Patriot Stealer". The paid version of the infostealer malware is reportedly capable of stealing "passwords, cookies, Autofilldata, Telegram session, Persistence" and if you want to buy it you should speak to "@kastr3" on Telegram. Interestingly, the malware leverages Discord webhooks to report to the operator when a victim has been infected and data has successfully been stolen. From the Discord language setting in the screenshot on the website and from the description of the group's Telegram channel it appears the developer(s) of the Patriot Stealer are Spanish-speaking threat actors. ----- **Patriot Stealer** Shodan Dork http.favicon.hash:274603478 http.html:"patriotstealer" URLscan Query https://urlscan.io/result/43a51776-e283-4522-ab29-ea5c7efc174a/ Telegram Channel hxxps://t.me/patriotstealer ----- **RAXNET Bitcoin Stealer** Again, the trusty Shodan Dork http.html:"stealer" uncovered another new and unreported infostealer malware called "RAXNET Bitcoin Stealer" that targets cryptocurrency users by replacing destination wallet addresses with the cybercriminal's own wallet addresses. The main features of this Malware-as-a-Service (MaaS) allegedly includes "Fully Undetectable, AV-bypass, Private Key Stealer, Online Logs Panel" and has several pricing models from $80 to $150, including "similarity mode" and the "builder" of the malware. The MaaS operators also offer "spreading methods" for $75. Other notable services related to this MaaS were "resell rights", "full video tutorials", "24/7 support", and a "refund policy." **RAXNET Bitcoin Stealer** Shodan Dork http.favicon.hash:-1236243965 URLscan Query https://urlscan.io/result/c4f7f543-46f5-4051-b3cb-3699d4b99c5c/ Domain cryptohax[.]net Telegram @PureTX (hxxps://t.me/PureTX) E-mail punity@protonmail.com ----- YouTube https://www.youtube.com/@bitstorm101 (Joined 17 Nov 2022) https://www.youtube.com/@punxi49 (Joined 21 Jun 2020) https://www.youtube.com/watch?v=oNGIubac9sk (video tutorial) https://www.youtube.com/watch?v=D9iT4VJev28 (video tutorial) ----- **Analysis** The cybercriminal underground continues to evolve, and Malware-as-a-Service (MaaS) offerings have been a significant contributing factor for an increase in cybercrime. Aspiring cybercriminals no longer require the technical skills to perform such attacks, but as little as ----- $150 dollars to run a malware campaign with a multi-featured cybercrime tool allegedly with "24/7 support" from English- and Spanish-speaking malware developers as part of the as-aService business model. This research also highlights that the infrastructure of cybercriminals often includes several common denominators, such as email addresses and Telegram channels to communicate with customers, websites and YouTube channels to advertise products, as well as cryptocurrency wallets to receive payments. Stealing credentials on a wide scale can be useful for a plethora of attacks. The threat actor who actually stole the credentials is also not always going to be the one who leverages them. [This is due to the growing popularity of selling stolen credentials on cybercrime forums and](https://blog.bushidotoken.net/2022/08/analysis-of-emerging-darth-maul-ecrime.html) marketplaces. ## Lessons from the Conti Leaks Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022 Gamer Cheater Hacker Spy -----