Hackers Advertising New Info-Stealing Malware on Dark Web

Dubbed “Stealc” by researchers, the malware is also being promoted on several Russian language hacker and cybercrime forums on the clear net, in addition to the dark web.
Hackers Advertising New Info-Stealing Malware on Dark Web
As of now, the Stealc malware targets only Windows devices and steals data from browsers, cryptocurrency wallets, messengers, and email clients.

Cybersecurity researchers from Sekoia have released details of new information-stealing malware called Stealc which has surfaced on several underground hacking forums and on the Dark Web.

According to researchers, a threat actor using the alias “Plymouth” has developed the malware and is advertising it on the dark web. This malware is different, as it simultaneously steals data from its victims and customers. It is also being promoted on Telegram channels.

Hackers Advertising New Info-Stealing Malware on Dark Web
The malware developer offering free samples for the malware on a Russian forum (Credit: Sekoia)

The threat actor stated that Stealc, currently at version 1.3.0, is fully featured and ready-to-use malware. It is not built from scratch but is based on other popular information-stealing malware such as RacoonVidar, and Redline Stealer. The malware is continually being upgraded; according to the researchers, it is tweaked every week. It was first spotted in January 2023.

How Does it work?

After it is installed on the target’s PC, the malware starts an anti-analysis check to ensure it isn’t running on a sandbox or a virtual environment. It loads Windows API functions and establishes a connection with the C2 center. It sends the attacker’s hardware identifier and device build name, after which the malware receives commands.

According to Sekoia’s blog post, this is when the malware starts collecting data from the browsers, extensions, and applications and executes its file grabber to exfiltrate all files to the C2 server. Once the entire data is stolen, Stealc self-erases and downloaded DLL files are removed from the device to avoid detection.

Stealc Capabilities

Some of Stealc’s features include a C2 center URL randomizer and an advanced log sorting and searching system. Moreover, the malware spares victims from Ukraine, uses legitimate third-party DLLs, and abuses Windows API functions. It is written in C and automatically exfiltrates data without requiring any interference from the attacker.

The malware can target 75 plugins, 22 browsers, and 25 desktop wallets. Furthermore, it can hide most of its strings using base64 and RC4.

Apart from advertising it on the Dark Web, the threat actor also deploys the malware on target endpoints by creating fake YouTube tutorials about cracking software. Or by offering links in the description, which deploys the info-stealer instead of the offered crack.

Researchers discovered over 40 C2 servers, leading them to conclude that Stealc is gaining traction quickly. Therefore, it is vital to make sure your security software is updated regularly and to avoid downloading and installing software from suspicious or unauthorized sources. Also, never open links or attachments from unknown sources.

  1. Dark Web Search Engines and How to Find Them
  2. Hackers selling Bitcoin ATM Malware on Dark Web
  3. Zombinder on Dark Web Adds Malware to Legit Apps
  4. Web Webinjects Marketplace “In The Box” Discovered
  5. L0rdix malware on dark web steals data, mines crypto
Related Posts