In a fascinating turn of events, a threat actor known by the online moniker ‘La_Citrix’ inadvertently exposed their real identity by infecting their own computer with an information stealer. This incident was brought to light by the Israeli threat intelligence company, Hudson Rock.
La_Citrix had been active on Russian-speaking cybercrime forums since 2020, offering access to hacked companies and info-stealer logs from active infections. The threat actor was known for hacking into organizations and compromising Citrix, VPN, and RDP servers to sell illicit access to them. However, in a twist of irony, the hacker was careless enough to infect their own computer with an information stealer and to sell access to the machine without noticing.
This mistake allowed Hudson Rock to explore the cybercriminal’s computer, which had been used to perpetrate intrusions at hundreds of companies. The computer contained employee credentials at almost 300 organizations, and the browser stored corporate credentials used to perform hacks. Further analysis of the threat actor’s computer also helped the cybersecurity firm discover their real identity and their location.
Hudson Rock has stated that it will forward the uncovered evidence to the relevant law enforcement authorities. This incident serves as a reminder that even those who operate in the shadows of the cyber world are not immune to the very tools they use to exploit others.
Information stealers, the type of malware used by La_Citrix, are a type of Trojan designed to gather information from a system. They are typically used to steal account passwords, cookies, credit card details, and crypto wallet data from infected systems. The stolen data, often referred to as ‘logs’, are then uploaded back to the threat actors. Some well-known information stealers include RedLine, Vidar, and Raccoon, which gather credentials from various sources on a computer system, including password managers and browsers.
For more information on info stealers, you can visit the following sources: