StealC (Information Stealer) – Malware

Overview

Stealc is a sophisticated information stealer that emerged in early 2023, quickly gaining prominence within the cybercrime ecosystem. Developed by a threat actor known as Plymouth, Stealc is designed to harvest a wide range of sensitive data from infected systems, including credentials, financial information, and other personal details. This malware draws on the technical foundations of several well-known infostealers, such as Vidar, Raccoon, Mars, and RedLine, incorporating and enhancing their capabilities to deliver a robust and versatile threat. Stealc distinguishes itself with its advanced data collection and exfiltration techniques. It targets data from numerous web browsers, cryptocurrency wallets, and other applications, offering its operators a highly customizable and effective tool for cyber espionage. The malware’s administration panel provides a comprehensive interface for managing and analyzing stolen data, reflecting its developers’ emphasis on both functionality and user experience. The malware’s deployment strategy, which includes advertising on various underground forums and offering free tests to potential customers, has contributed to its rapid adoption among cybercriminals. With its evolving features and adaptive Command and Control (C2) communications, Stealc represents a significant challenge for cybersecurity professionals seeking to counteract modern infostealers.

Targets

Windows Users from multiple countries:

• United States
• United Kingdom
• Germany
• France
• Italy
• Spain
• Netherlands
• Canada
• Australia
• Brazil
• Mexico
• Russia
• India
• Japan
• South Korea

How they operate

Upon execution, Stealc operates by deploying a combination of dynamic link libraries (DLLs) and executable modules designed to facilitate data collection and exfiltration. The malware utilizes WinAPI functions extensively, loading these functions dynamically at runtime through GetProcAddress and LoadLibraryA. This dynamic loading obfuscates the malware’s true nature and makes static analysis more challenging. For instance, functions from standard libraries such as sqlite3.dll, nss3.dll, and mozglue.dll are employed to interact with browser data and other critical system components. Stealc’s data collection capability is broad and highly targeted. It is engineered to extract sensitive information from a variety of sources, including popular web browsers, browser extensions related to cryptocurrency wallets, and desktop cryptocurrency wallet applications. The malware achieves this by utilizing a custom configuration file that dictates the exact nature of the data to be harvested. The configuration is dynamically received from the C2 server, allowing threat actors to tailor the malware’s data collection according to their needs. The malware’s exfiltration strategy involves sending collected data in discrete HTTP/HTTPS requests, a method that enhances the stealth of the data transfer and reduces the risk of detection by security solutions. Stealc avoids bundling data, which could be flagged by network monitoring tools, and instead opts for a segmented approach where each piece of stolen data is transmitted independently. This technique not only minimizes detection risks but also ensures the integrity of data transmission. Stealc’s C2 communications leverage HTTP/HTTPS protocols, employing randomized endpoints to further evade detection. The malware’s C2 infrastructure consists of multiple servers, providing redundancy and resilience against takedown attempts. Communication between the infected host and C2 server is encrypted and obfuscated, often using base64 and RC4 encryption algorithms to protect the integrity of transmitted data and configurations. Persistence mechanisms are another key feature of Stealc. The malware achieves persistence through modifications to the Windows registry and startup folders. These alterations ensure that Stealc maintains its foothold on the infected system even after reboots or partial cleanups. Specifically, Stealc may create registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure its automatic execution during system startup. In terms of obfuscation, Stealc employs a combination of string and code obfuscation techniques. Strings are encoded using RC4 and base64, and code is obfuscated to conceal the malware’s operational logic. This multi-layered obfuscation strategy complicates reverse engineering efforts and enhances the malware’s ability to evade detection by traditional antivirus solutions.

MITRE Tactics and Techniques

T1071.001 – Application Layer Protocol: Web Protocols: Utilizes HTTP/HTTPS for C2 communications. T1047 – Windows Management Instrumentation: May leverage WMI for various functions. T1033 – System Owner/User Discovery: Gathers information about the system and user. T1115 – Clipboard Data: Can potentially access clipboard data if needed. T1567.002 – Exfiltration Over Web Service: Exfiltration Over Web Protocol: Uses web protocols to exfiltrate stolen data. T1059.001 – Command and Scripting Interpreter: PowerShell: Might execute PowerShell commands or scripts. T1068 – Exploitation for Client Execution: May exploit vulnerabilities in client applications to execute. T1060 – Registry Run Keys / Startup Folder: Modifies registry or startup folders to maintain persistence. T1056.001 – Input Capture: Keylogging: Captures keystrokes to steal sensitive information. T1049 – System Network Connections Discovery: Identifies network connections and available resources.

Impact / Significant Attacks

Phishing Campaigns Targeting Financial Institutions (2023): Overview: Stealc was used in phishing campaigns aimed at financial institutions, where it was distributed through malicious email attachments and links. The phishing emails were designed to appear as legitimate communications from trusted entities, tricking recipients into downloading and executing the malware. Impact: These campaigns led to the exfiltration of sensitive banking credentials and financial data, resulting in substantial financial losses for targeted institutions and their clients. Corporate Data Breaches (2023): Overview: Stealc was deployed in targeted attacks against corporate networks, often as part of a broader attack vector that included social engineering and exploit kits. Once inside the network, the malware collected credentials, proprietary business information, and personal data from employees. Impact: The stolen data was used for identity theft, corporate espionage, and subsequent ransomware attacks. Several companies reported significant disruptions and financial losses as a result of these breaches. Cryptocurrency Theft (2023): Overview: The malware targeted individuals and organizations involved in cryptocurrency trading and investment. It specifically focused on extracting data from cryptocurrency wallets and related browser extensions. Impact: Victims suffered financial losses due to unauthorized access to their cryptocurrency wallets. The stolen funds were often moved to untraceable accounts, complicating recovery efforts. Educational Sector Attacks (2023): Overview: Educational institutions were targeted through malicious downloads and compromised educational platforms. Stealc extracted login credentials, research data, and personal information from students and faculty members. Impact: These attacks led to privacy breaches and the unauthorized access to sensitive academic and administrative information. The stolen data was used for various malicious purposes, including identity theft and unauthorized access to institutional resources. Healthcare Data Breaches (2023): Overview: Stealc was utilized in attacks against healthcare providers, where it harvested patient records, medical histories, and administrative data from compromised systems. Impact: The exposure of sensitive healthcare information led to privacy violations and potential misuse of personal medical data. The breaches also resulted in financial penalties and reputational damage for the affected healthcare organizations.

References

• Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1
• Fake Antivirus Sites Spread Malware
• Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit