Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

StealC (Information Stealer) – Malware

June 19, 2024
Reading Time: 5 mins read
in Malware
StealC (Information Stealer) – Malware

StealC

Type of Malware

Information Stealer

Country of Origin

Russia

Targeted Countries

Global

Date of initial activity

2023

Associated Groups

OilRig, Transparent Tribe, Kasablanka, Storm Cloud

Motivation

Financial gain

Variants

Vidar
Raccoon
Mars
RedLine

Tools

DLLs for Injection: sqlite3.dll, freebl3.dll, mozglue.dll, msvcp40.dll, nss3.dll, softokn3.dll, vcruntime140.dll.
Command and Control (C2) Servers: Various C2 servers used for communication and data exfiltration.
Obfuscation Techniques: RC4 and base64 encoding for code obfuscation.
Data Exfiltration Endpoints: Customizable paths and endpoints for data transfer, such as /api.php and random paths for newer updates.

Attack Vectors

Phishing, Malvertising

Type of information Stolen

Sensitive data from web browsers, browser extensions for cryptocurrency wallets, desktop cryptocurrency wallets and information from additional applications, including email client and messenger software

Targeted Systems

Windows

Overview

Stealc is a sophisticated information stealer that emerged in early 2023, quickly gaining prominence within the cybercrime ecosystem. Developed by a threat actor known as Plymouth, Stealc is designed to harvest a wide range of sensitive data from infected systems, including credentials, financial information, and other personal details. This malware draws on the technical foundations of several well-known infostealers, such as Vidar, Raccoon, Mars, and RedLine, incorporating and enhancing their capabilities to deliver a robust and versatile threat. Stealc distinguishes itself with its advanced data collection and exfiltration techniques. It targets data from numerous web browsers, cryptocurrency wallets, and other applications, offering its operators a highly customizable and effective tool for cyber espionage. The malware’s administration panel provides a comprehensive interface for managing and analyzing stolen data, reflecting its developers’ emphasis on both functionality and user experience. The malware’s deployment strategy, which includes advertising on various underground forums and offering free tests to potential customers, has contributed to its rapid adoption among cybercriminals. With its evolving features and adaptive Command and Control (C2) communications, Stealc represents a significant challenge for cybersecurity professionals seeking to counteract modern infostealers.

Targets

Windows Users from multiple countries:
  • United States
  • United Kingdom
  • Germany
  • France
  • Italy
  • Spain
  • Netherlands
  • Canada
  • Australia
  • Brazil
  • Mexico
  • Russia
  • India
  • Japan
  • South Korea

How they operate

Upon execution, Stealc operates by deploying a combination of dynamic link libraries (DLLs) and executable modules designed to facilitate data collection and exfiltration. The malware utilizes WinAPI functions extensively, loading these functions dynamically at runtime through GetProcAddress and LoadLibraryA. This dynamic loading obfuscates the malware’s true nature and makes static analysis more challenging. For instance, functions from standard libraries such as sqlite3.dll, nss3.dll, and mozglue.dll are employed to interact with browser data and other critical system components. Stealc’s data collection capability is broad and highly targeted. It is engineered to extract sensitive information from a variety of sources, including popular web browsers, browser extensions related to cryptocurrency wallets, and desktop cryptocurrency wallet applications. The malware achieves this by utilizing a custom configuration file that dictates the exact nature of the data to be harvested. The configuration is dynamically received from the C2 server, allowing threat actors to tailor the malware’s data collection according to their needs. The malware’s exfiltration strategy involves sending collected data in discrete HTTP/HTTPS requests, a method that enhances the stealth of the data transfer and reduces the risk of detection by security solutions. Stealc avoids bundling data, which could be flagged by network monitoring tools, and instead opts for a segmented approach where each piece of stolen data is transmitted independently. This technique not only minimizes detection risks but also ensures the integrity of data transmission. Stealc’s C2 communications leverage HTTP/HTTPS protocols, employing randomized endpoints to further evade detection. The malware’s C2 infrastructure consists of multiple servers, providing redundancy and resilience against takedown attempts. Communication between the infected host and C2 server is encrypted and obfuscated, often using base64 and RC4 encryption algorithms to protect the integrity of transmitted data and configurations. Persistence mechanisms are another key feature of Stealc. The malware achieves persistence through modifications to the Windows registry and startup folders. These alterations ensure that Stealc maintains its foothold on the infected system even after reboots or partial cleanups. Specifically, Stealc may create registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure its automatic execution during system startup. In terms of obfuscation, Stealc employs a combination of string and code obfuscation techniques. Strings are encoded using RC4 and base64, and code is obfuscated to conceal the malware’s operational logic. This multi-layered obfuscation strategy complicates reverse engineering efforts and enhances the malware’s ability to evade detection by traditional antivirus solutions.

MITRE Tactics and Techniques

T1071.001 – Application Layer Protocol: Web Protocols: Utilizes HTTP/HTTPS for C2 communications. T1047 – Windows Management Instrumentation: May leverage WMI for various functions. T1033 – System Owner/User Discovery: Gathers information about the system and user. T1115 – Clipboard Data: Can potentially access clipboard data if needed. T1567.002 – Exfiltration Over Web Service: Exfiltration Over Web Protocol: Uses web protocols to exfiltrate stolen data. T1059.001 – Command and Scripting Interpreter: PowerShell: Might execute PowerShell commands or scripts. T1068 – Exploitation for Client Execution: May exploit vulnerabilities in client applications to execute. T1060 – Registry Run Keys / Startup Folder: Modifies registry or startup folders to maintain persistence. T1056.001 – Input Capture: Keylogging: Captures keystrokes to steal sensitive information. T1049 – System Network Connections Discovery: Identifies network connections and available resources.

Impact / Significant Attacks

Phishing Campaigns Targeting Financial Institutions (2023): Overview: Stealc was used in phishing campaigns aimed at financial institutions, where it was distributed through malicious email attachments and links. The phishing emails were designed to appear as legitimate communications from trusted entities, tricking recipients into downloading and executing the malware. Impact: These campaigns led to the exfiltration of sensitive banking credentials and financial data, resulting in substantial financial losses for targeted institutions and their clients. Corporate Data Breaches (2023): Overview: Stealc was deployed in targeted attacks against corporate networks, often as part of a broader attack vector that included social engineering and exploit kits. Once inside the network, the malware collected credentials, proprietary business information, and personal data from employees. Impact: The stolen data was used for identity theft, corporate espionage, and subsequent ransomware attacks. Several companies reported significant disruptions and financial losses as a result of these breaches. Cryptocurrency Theft (2023): Overview: The malware targeted individuals and organizations involved in cryptocurrency trading and investment. It specifically focused on extracting data from cryptocurrency wallets and related browser extensions. Impact: Victims suffered financial losses due to unauthorized access to their cryptocurrency wallets. The stolen funds were often moved to untraceable accounts, complicating recovery efforts. Educational Sector Attacks (2023): Overview: Educational institutions were targeted through malicious downloads and compromised educational platforms. Stealc extracted login credentials, research data, and personal information from students and faculty members. Impact: These attacks led to privacy breaches and the unauthorized access to sensitive academic and administrative information. The stolen data was used for various malicious purposes, including identity theft and unauthorized access to institutional resources. Healthcare Data Breaches (2023): Overview: Stealc was utilized in attacks against healthcare providers, where it harvested patient records, medical histories, and administrative data from compromised systems. Impact: The exposure of sensitive healthcare information led to privacy violations and potential misuse of personal medical data. The breaches also resulted in financial penalties and reputational damage for the affected healthcare organizations.
References
  • Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1
  • Fake Antivirus Sites Spread Malware
  • Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit
Tags: Cryptocurrencyinformation stealerMalwareMARSRaccoonRedLineStealcthreat actorVidarWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial