Consider this the end of a series that lasted a few weeks. I tried to contact almost everyone related to the infostealer ecosystem, that I find relevant and interesting based on my thoughts. I hope this series helps people understand better what is happening on the malware threat landscape.
Everyone was “approached” the same way, and was asked common and personalized questions:
Я независимый исследователь-любитель, интересующийся ворами информации.
Я видел, что вы являетесь владельцем <XXX>, и если вы согласны, я бы хотел взять с вами небольшое интервью по этому поводу.
Я хочу знать о продукте, который вы предлагаетеHello
I am an independent amateur researcher interested in information thieves.
I saw that you are the owner of <XXX>, and if you agree, I would like to do a short interview with you about this.
I want to know about the product you offer
These people were contacted on Telegram or Jabber.
Some people required further talks in order to accept the interview, or an “administration approval” (on projects where more than one person is involved).
Of course not everybody wanted to talk, so I didn’t forget them, they just refused me.
Here is what the guys who refused to talk with me said/made:
And blocked me instantly
HelloTo be honest, we are not interested. Judging by your interviews, all these developers are trying to present themselves as the “best”, when in fact, if you try to use them, their products are quite sad. Their customers leave, they complain to us about their product. Therefore, they need at least some publicity in order for people to know about them. We don’t need this.Good luck! Contact me if you need a great product =)
have a nice day, gl
after showing him the other interviews he said “glad for them”
Dark Crystal RAT
I got blocked very hard by him after showing him “proofs” that relate Privateloader to their installs service. Maybe I got a little bit excited on him.
I am upset with the Redline Team.
Передам главному админу, вернется посмотрит
I’ll tell the chief admin, he’ll come back and take a look.
The support guy asked for an administration approval, then silence for days. Next day, when I asked for a reply, said:
I still don’t understand what this means. I waited for 10 days for a real reply, and he said:
Мы не хотим давать интервью
We don’t want to give interviews
Thank you for replying, but you were ignoring my messages all these days.
I talked a bit with them, and they didn’t refused me but I got some technical issues to finally interview them, so I gave up. My fault.
They never accepted the TOX friend request.
I feel sorry about him, he was interviewed, but with he replied with a hilarious lack of effort, and I didn’t feel to publish it as the last interview. If you ever read this, thank you Mystic.
What is Mystic? a good stealer
Do you have anything to say to the “information security experts” who are trying to track down Mystic? Everything works out well for them without it 🙂 so I don’t have much advice for them
This guy accepted to talk, I send them the questions to interview him, as he requested… He never replied back
If I didn’t contact anyone else is because I found them not relevant in the stealers market or I forgot about you for this reason. Maybe I also couldn’t get a real contact method to you. I could have gone further, but I stopped at this point. There will be no more interviews.
Let’s do a brief summary of the interviewees responses to the common questions: (Click on the name to go to the full interview.)
Note that Amadey is not a stealer but a loader and is very related to this ecosystem; it would have been great if a similar product would have agreed to talk, like Smoke Loader
How would you describe <Your product>?
Everyone else (unless Meta) said his product was the best available on the market or a perfect product… That’s what I expected from a vendor and his product.
Indeed, the best description is a malware that steals passwords and other stored data from your computer.
What makes <Your product> different from other products?
Lumma, Raccoon, Meduza, Vidar focused on the great support, because as Vidar says “the functionality is the same for everyone”. I would like to highlight what Meta says about stolen logs from customers: I’ve seen rumors of these claims on both Vidar and Raccon. Vidar was asked after his interview:
Also Amadey, who still claims his product as the best on the market.
When did the <Your product> project started?
I set up a timeline:
Amadey — October 8th, 2018
Vidar — November 19th, 2018
Meta — 2021
Raccoon — May, 2022
StealC — Summer 2022
Lumma — December 21st, 2022
Meduza — June 12th, 2023
How many people have tried <Your product>? Approximately
Amadey — “Quite a lot”, not disclosed but less than a thousand
Vidar — Not disclosed
Meta —100 to 150
Raccoon — Around 4000
StealC — Several hundred now, 40 in beta testing
Lumma — 400 active clients
Meduza — Not disclosed
Does <Your product> allows working on CIS countries? What is your opinion of people working with russians with other product?
From the above 7 only Meta (although they don’t encourage fraud among the poor) allows to get logs from the CIS countries, or at least in some of them.
The reality is that stealers are a big problem that is leading to huge financial losses, as well as a huge threat to privacy and security around the globe. Nobody is safe.
How do you see the market, is now a good time to work?
There is an overall opinion on the infostealers market: it has a huge popularity (says Meta) and has called for work to a lot newcomers that are “amateur” and doesn’t know to work at all (says StealC). Also bringing too much attention to the malware projects (says Raccoon). Al in all, there is still a huge demand and unfortunately there will be more market in the next years (says Lumma).
What would you say to those “information security experts” who are trying to track <Your Product>?
Remember what these guys said to us:
“If you want — a weapon in some sense.
But by itself, it is harmless and is used by many system administrators completely legally and voluntarily.
Then Mikhail Kalashnikov must be recognized as an outlaw, because he invented something that killed thousands of people — the Kalashnikov assault rifle.”
“We would like to say that there is no need to hold a grudge against us. We think that our data is already known to such structures as the CIA, FBI and other structures, just as we know their data, because they also launch our product, sometimes completely by accident! 🙂
Everyone does their job”
There are much more dangerous people in the world than we are. Lone hackers and ART groups capable of organizing a nuclear catastrophe or logistical collabs. Moreover, their goals are very pragmatic.
Don’t look for us. It is better to devote more time to studying and suppressing those who, at the push of a button, can paralyze a nuclear reactor or a medical bay during a patient’s operation.
He skipped this question. We can get some words from him to this question, “this hype is not justified, too much attention is bad”
We can wish you good luck, finally understand that viruses are almost always “encrypted” in the wild, and if you come across a stealc sample weighing 5 megabytes, this does not mean that in the original it weighs 5 megabytes) various anti-emulation techniques that are used by cryptors are often attributed to to our and other software, although this is incorrect on their part
I say hello to them. I don’t mind being tracked. On the contrary, this gives popularity to Lumma.
Interesting question, I’d probably want to advise them not to miss the little things, the little things make up the whole picture
Don’t forget to check every one of the interviews to read everything about the past, present, and future of the stealer projects interviewed:
1 post – 1 participant