A user called “Plymouth” has been actively advertising a new stealer malware, “Stealc,” on several hacking platforms. Information from security researchers at SEKOIA prompted the discovery of this malware in January before its massive gain of attention in February, especially on the dark web due to the relentless advertisement of its stealing capability by Plymouth and similarity with other stealing malware such as Vidar, Mars, Redline, and Raccoon.
Plymouth advertised the malware to ultimately be able to grab any file type using its customizable file grabber, penetrate cryptocurrency wallets, and extract data from web browsers and extensions.
In line with some of the information divulged by Plymouth about Stealc, researchers at SEKOIA have identified some similarities between command and controls (C2) communications of Stealc, Vidar, and Racoon information stealers after analyzing one of the multiple C2 servers and samples found in circulation. Researchers also discovered that the developer improves the malware by releasing weekly updates. V1.3.0 is the current version.
Further results from sample analysis revealed more about the malware setup and functionality. It is written in C language and abuses Windows API functions. It uses legitimate third-party DLLs and has a lightweight build of 80KB. It can automatically exfiltrate stolen data, which is one of the reasons for gaining massive attention and interest in the cybercrime world.
Stealc functions by deobfuscating its strings upon deployment to perform a counter-analysis check that prevents it from running in a sandbox or virtual environment. It proceeds to load WinAPI functions that facilitate communication with the C2 server to enable forwarding the victim’s hardware identifier and build name and receiving a configuration response. Stealc further performs an information extraction process before automatically removing itself and downloaded DLL files from the host to prevent leaving traces of infection behind.
Although SEKOIA has suggested methods, including YARA and Suricata rules for detecting the malware, it is expedient for internet users to take caution regarding installing cracked software.
