'Stealc' information-stealing malware emerges from the dark web

'Stealc' information-stealing malware emerges from the dark web

Photo by Michael Geiger on Unsplash

A new information-stealing malware called "Stealc" was recently seen making the rounds on the dark web, not only looking for its next victim, but also its next customer.

Cybersecurity researchers from SEKOIA recently discovered the malware being advertised on multiple underground forums by a threat actor called "Plymouth." According to the the cybercriminal, Stealc is a fully-featured and ready-to-use stealer based on more popular infostealers, such as Vidar, Racoon, Mars, and Redline Stealer.

Stealc gets new tweaks and upgrades at least once a week. Some of its new features include a command and control (C&C) center URL randomizer, and improved logs searching and sorting system. It can also spare victims from Ukraine. Aside from these, Stealc has the following characteristics and capabilities:

• Only 80KB
• Uses legitimate third-party DLLs
• Written in C and abuses Windows API functions
• Exfiltrates stolen data automatically
• Targets 22 browsers, 75 plugins, and 25 desktop wallets

Aside from advertising it on dark web forums, Plymouth is also deploying the malware to various PCs by creating fake YouTube tutorials on how to crack software. The videos will then direct an unsuspecting user to a download website that will deploy Stealc.

Once the malware is installed on a victim's PC, it performs anti-analysis checks to ensure that it's not running on a virtual environment or sandbox. Next, it loads Windows API functions and starts communicating with the C&C center to send the victim’s hardware identifier and build name. The malware will then receive a set of instructions.

At this point, Stealc will start collecting data from the targeted browsers, extensions, and apps. It will also execute its file grabber if its active and exfiltrate all files to the C&C server. After it successfully steals data, Stealc removes itself and the downloaded DLL files from the victim's PC to avoid detection.

SEKOIA says that it has discovered more than 40 C&C servers related to Stealc, implying that the malware has become popular among cybercriminals distributing stealer malware.

To protect your PCs from malware, always keep your security software updated and never download or install software from sketchy websites. Finally, do not open attachments or links from unsolicited emails, as they may contain malware.

Source: SEKOIA