Stealc, New Information Stealer Malware Emerges on Dark Web

by | Feb 21, 2023 | News

Post Views: 856

Premium Content

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

A new information stealer called Stealc has emerged on the dark web gaining traction due to aggressive promotion of stealing capabilities and similarities with malware of the same kind like Vidar, Raccoon, Mars, and Redline.

Security researchers at cyber threat intelligence company SEKOIA spotted the new strain in January and noticed it started to gain tractionin early February.

New stealer for sale

Stealc has been advertised on hacking forums by a user called “Plymouth,” who presented the malware as a piece of malware with extensive data-stealing capabilities and an easy-to-use administration panel.

**First forum post promoting Stealc online** *(SEKOIA)*

According to the advertiser, apart from the typical targeting of web browser data, extensions, and cryptocurrency wallets, Stealc also has a customizable file grabber that can be set to target whatever file types the operator wishes to steal.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Similarities Vidar and Raccoon info stealers.

After the initial post, Plymouth started to promote the malware on other hacking forums and on private Telegram channels, offering test samples to potential customers.

The seller also set up a Telegram channel dedicated to publishing Stealc’s new version changelogs, the most recent being v1.3.0, released on February 11, 2023. The malware is actively developed, and a new version appears on the channel every week.

Plymouth also said that Stealc was not developed from scratch but instead relied on Vidar, Raccoon, Mars and Redline stealers.

One commonality the researchers found between Stealc and Vidar, Raccoon and Mars infostealers is that they all download legitimate third-party DLLs (e.g. sqlite3.dll, nss3.dll) to help with pilfering sensitive data.

In a report today, SEKOIA researchers note that the command and control (C2) communications of one of the samples they analyzed shared similarities to those of Vidar and Raccoon info stealers.

The researchers discovered more than 40 C2 servers for Stealc and several dozens of samples in the wild, indicating that the new malware has attracted the interest of the cybercriminal community.

This popularity may be accounted by the fact that customers with access to the administration panel can generate new stealer samples, which increase the chances of the malware leaking to a broader audience.

Despite the poor business model, SEKOIA believes that Stealc represents a significant threat as it could be adopted by less technical cybercriminals.

Trending: Exploiting LFI Vulnerabilities

Stealc’s functions

Stealc has added new features since its first release in January, including a system to randomize C2 URLs, a better logs (stolen files) searching and sorting system, and an exclusion for victims in Ukraine.

**Malware development milestones** *(SEKOIA)*

The features that SEKOIA could verify by analyzing the captured sample are the following:

Lightweight build of only 80KB
Use of legitimate third-party DLLs
Written in C and abusing Windows API functions
Most strings are obfuscated with RC4 and base64
The malware exfiltrates stolen data automatically
It targets 22 web browsers, 75 plugins, and 25 desktop wallets

SEKOIA’s curent report does not include all the data obtained from reverse engineering Stealc but provides an overview of the main steps of its execution.

When deployed, the malware deobfuscates its strings and performs anti-analysis checks to ensure it doesn’t run in a virtual environment or sandbox.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Full post