As of now, the Stealc malware targets only Windows devices and steals data from browsers, cryptocurrency wallets, messengers, and email clients.
Cybersecurity researchers from Sekoia have released details of new information-stealing malware called Stealc which has surfaced on several underground hacking forums and on the Dark Web.
According to researchers, a threat actor using the alias “Plymouth” has developed the malware and is advertising it on the dark web. This malware is different, as it simultaneously steals data from its victims and customers. It is also being promoted on Telegram channels.
The threat actor stated that Stealc, currently at version 1.3.0, is fully featured and ready-to-use malware. It is not built from scratch but is based on other popular information-stealing malware such as Racoon, Vidar, and Redline Stealer. The malware is continually being upgraded; according to the researchers, it is tweaked every week. It was first spotted in January 2023.
How Does it work?
After it is installed on the target’s PC, the malware starts an anti-analysis check to ensure it isn’t running on a sandbox or a virtual environment. It loads Windows API functions and establishes a connection with the C2 center. It sends the attacker’s hardware identifier and device build name, after which the malware receives commands.
According to Sekoia’s blog post, this is when the malware starts collecting data from the browsers, extensions, and applications and executes its file grabber to exfiltrate all files to the C2 server. Once the entire data is stolen, Stealc self-erases and downloaded DLL files are removed from the device to avoid detection.
Some of Stealc’s features include a C2 center URL randomizer and an advanced log sorting and searching system. Moreover, the malware spares victims from Ukraine, uses legitimate third-party DLLs, and abuses Windows API functions. It is written in C and automatically exfiltrates data without requiring any interference from the attacker.
The malware can target 75 plugins, 22 browsers, and 25 desktop wallets. Furthermore, it can hide most of its strings using base64 and RC4.
Stealc is Popular among Cybercriminals
Apart from advertising it on the Dark Web, the threat actor also deploys the malware on target endpoints by creating fake YouTube tutorials about cracking software. Or by offering links in the description, which deploys the info-stealer instead of the offered crack.
Researchers discovered over 40 C2 servers, leading them to conclude that Stealc is gaining traction quickly. Therefore, it is vital to make sure your security software is updated regularly and to avoid downloading and installing software from suspicious or unauthorized sources. Also, never open links or attachments from unknown sources.