available logs on Russian Market
June 2022 – February 2023
get the full report
Russian Market is by far the biggest underground marketplace for infostealer logs, and it has ties to the now-defunct Amigos Marketplace. As of this publication, Russian Market offers over five million logs for sale, which is roughly ten times more than its nearest rival. Historically, the marketplace predominantly sold logs obtained through five infostealers:
no longer available
no longer available
Vidar primarily operates as an infostealer but has also been used to deploy ransomware. The malware was first observed in 2019 during a prolific malvertising campaign where threat actors used the Fallout exploit kit to distribute Vidar and GandCrab as secondary payloads. Vidar is sold on underground forums like Russian Market and Telegram channels for $130 USD per week. Vidar is available to any paying threat actor and the delivery method may include phishing emails or pirated software.
AZORult was once among the most prolific stealers. The last version update for AZORult was in December 2018 and is no longer in active development. AZOrult steals passwords, cookies, cryptowallets, and files. AZORult uses campaigns that lure victims in with trojanized commercial software; malvertising indicates AZORult is designed to target individuals rather than organizations.
Taurus was first observed in 2020 and was the fourth most prolific stealer on Russian market up until recently. Taurus can steal VPN credentials, social media details, cryptocurrency credentials; take screenshots of the victim's desktop; and exfiltrate the system's software installation and configuration information. Taurus is predominantly distributed via emails containing a malicious attachment.
The original Racoon Stealer emerged in 2019 and operated as a malware-as-a-service (MAaS) model at a cost of $200 US per month. Threat actors released a new version of the malware, Raccoon v2 in May 2022, which represents a significant rewrite of the malware. Raccoon developers continually alter elements of the malware to improve defense evasion, including changes to the User-Agents and mutexes, presumably to circumvent indicator-based detections.
RedLine emerged in March 2020, and its logs are the best seller on Russian Market. RedLine is sold standalone or as a subscription. As of March 2023, standalone copies (the "PRO" version) were advertised on Telegram for $900 USD, with subscriptions available for $150 per month.
To learn more, view the The Growing Threat from Infostealers report.
*Note, as of February 2023, Taurus and AZORult have been removed from Russian Market.