Pierluigi Paganini
February 21, 2023
In January 2023, researchers at SEKOIA.IO discovered a new information stealer, dubbed Stealc, which was advertised in the dark web forums. The malware was developed by a threat actor that uses the moniker Plymouth who claims the info-stealer supports a wide set of stealing capabilities.
According to the experts, the development of Stealc relied on Vidar, Raccoon, Mars and Redline stealers.
In February the experts found several dozens of Stealc samples in the wild, they were showing similarities with Vidar and Raccoon.
SEKOIA identified more than 40 Stealc C2 servers, a circumstance that confirms the increasing popularity of the malware among cybercriminals distributing stealers.
Stealc is able to steal sensitive data from popular web browsers, browser extensions for cryptocurrency wallets, desktop cryptocurrency wallets and also information from other applications, such as email and messenger clients. Unlike other stealers, Stealc implements a customizable data collection configuration and supports a customisable file grabber.
Attackers can define a set of grabber rules to to steal specific files matching them.
Plymouth already released several versions of the infostealer malware and published changelogs on hacking forums, as well as on a dedicated Telegram channel.
The most recent variant observed by the experts is v1.3.0, released on February 11, 2023.
The following table reports the Stealc features as advertised by Plymouth and features implemented in the samples observed by SEKOIA.IO.
| Stealc features, as described by Plymouth on XSS | SEKOIA.IO observations based on samples of the new malware family |
| When developing our solution, we relied on Vidar, Raccoon, Mars and RedLine | Stealc, Vidar, Raccoon and Mars all download legitimate third-party DLLs (sqlite3.dll, nss3.dll, etc.), as the found sample. |
| Current build weight – 78kb | The standalone sample is approximately 80KB. |
| stealc was written in pure C using WinAPI | C written malware uses WinAPI functions. |
| all functions are dynamically loaded | Once the strings are deobfuscated, the malware loads the WinAPI functions using GetProcAddress and LoadLibraryA. |
| import table is taken by couple of imports from mscrt | The import address table imports 6 functions from MsvcrtDLL. |
| All lines of work are obfuscated. | All strings are obfuscated using RC4 and base64, except a few ones which are related to new features (update v1.1.2). |
| stealc does not generate an archive on the client side, each file to be collected is sent to the server in a separate request | The malware exfiltrates the collected data file by file and doesn’t wait to receive all configuration to collect and send data. |
| more than 23 supported browsers | Based on the configuration sent by the C2, the malware targets 22 browsers. |
| more than 70 web plugins | Based on the configuration sent by C2, Stealc targets 75 plugins. |
| more than 15 desktop wallets | Based on the configuration sent by C2, Stealc targets 25 wallets. |
| email clients | The sample collects data from Outlook files (\Outlook\accounts.txt), the configuration is stored in the obfuscated data. |
| added random name generation for script-gate (api.php), in stealc update v1.1.2 | The first samples communicated on /api.php and downloaded the DLLs from /libs/. Recent samples used random paths ([a-f0-9]{16}) for data exfiltration and DLL download. |
| recorded user-agents in the system_info.txt file, in stealc update v1.1.2 | The malware exfiltrates victim host’s user agents. |
| recorded ip and country in file system_info.txt, in stealc update v1.1.2 | IP address and country of the infected host (ISO) are exfiltrated to the C2. |
Once executed, the info-stealer deobfuscates all its RC4-encrypted and base64-encoded strings and performs anti-analysis checks to avoid being executed in a sandbox or a virtual environment.
“The malware dynamically loads the different WinAPI functions using LoadLibrary and GetProcAddress, and initiates the communication to its C2 server” reads the analysis published by the experts.
Stealc collects data from the victim’s browser, extensions, and applications, it also steals files matching its grabber rules if active. Then data are exfiltrated to the C2 and the malware removes itself and the downloaded DLL files from the compromised system.
Attackers use YouTube videos to distribute the malware. The videos provide instructions on how to install cracked software along with links to a download site. The victims are tricked into downloading malware-laced software from this site.
SEKOIA published indicators of compromise (IoCs) for this threat along with YARA and Suricata rules to detect the the information-stealer
“Stealc is another fully featured infostealer sold as a MaaS which emerged on underground forums in early 2023.” concludes the report. “However, we expect that the Stealc infostealer will become widespread in the near term, as multiple threat actors add the malware to their arsenal while it is poorly monitored. Companies facing stealer compromise need to be aware of this malware.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
