A new information stealer called Stealc has emerged on the dark web gaining traction due to aggressive promotion of stealing capabilities and similarities with malware of the same kind like Vidar, Raccoon, Mars, and Redline.
Security researchers at cyber threat intelligence company SEKOIA spotted the new strain in January and noticed it started to gain tractionin early February.
New stealer for sale
Stealc has been advertised on hacking forums by a user called “Plymouth,” who presented the malware as a piece of malware with extensive data-stealing capabilities and an easy-to-use administration panel.
According to the advertiser, apart from the typical targeting of web browser data, extensions, and cryptocurrency wallets, Stealc also has a customizable file grabber that can be set to target whatever file types the operator wishes to steal.
Similarities Vidar and Raccoon info stealers.
After the initial post, Plymouth started to promote the malware on other hacking forums and on private Telegram channels, offering test samples to potential customers.
The seller also set up a Telegram channel dedicated to publishing Stealc’s new version changelogs, the most recent being v1.3.0, released on February 11, 2023. The malware is actively developed, and a new version appears on the channel every week.
Plymouth also said that Stealc was not developed from scratch but instead relied on Vidar, Raccoon, Mars and Redline stealers.
One commonality the researchers found between Stealc and Vidar, Raccoon and Mars infostealers is that they all download legitimate third-party DLLs (e.g. sqlite3.dll, nss3.dll) to help with pilfering sensitive data.
In a report today, SEKOIA researchers note that the command and control (C2) communications of one of the samples they analyzed shared similarities to those of Vidar and Raccoon info stealers.
The researchers discovered more than 40 C2 servers for Stealc and several dozens of samples in the wild, indicating that the new malware has attracted the interest of the cybercriminal community.
This popularity may be accounted by the fact that customers with access to the administration panel can generate new stealer samples, which increase the chances of the malware leaking to a broader audience.
Despite the poor business model, SEKOIA believes that Stealc represents a significant threat as it could be adopted by less technical cybercriminals.
Stealc’s functions
Stealc has added new features since its first release in January, including a system to randomize C2 URLs, a better logs (stolen files) searching and sorting system, and an exclusion for victims in Ukraine.
The features that SEKOIA could verify by analyzing the captured sample are the following:
- Lightweight build of only 80KB
- Use of legitimate third-party DLLs
- Written in C and abusing Windows API functions
- Most strings are obfuscated with RC4 and base64
- The malware exfiltrates stolen data automatically
- It targets 22 web browsers, 75 plugins, and 25 desktop wallets
SEKOIA’s curent report does not include all the data obtained from reverse engineering Stealc but provides an overview of the main steps of its execution.
When deployed, the malware deobfuscates its strings and performs anti-analysis checks to ensure it doesn’t run in a virtual environment or sandbox.