Stealc, a new information stealer, has appeared on the dark web. Due to its active marketing and similarity with malware such as Vidar, Raccoon, Mars, and Redline, it is gaining acceptance.

A cyber security website discovered the new strain in January and saw it began to spread in early February.

Stealer for sale

Stealc was promoted on hacker forums by a person known as “Plymouth”. The virus is described as having broad data-stealing capabilities and an easy-to-use administrative interface.

The ad claims that Stealc is targeting web browser data, extensions, and cryptocurrency wallets. Moreover, it also features a customizable file grabber to target any file types the operator desires to steal.

After the original post, Plymouth promoted the virus on various hacker forums and secret Telegram groups. Furthermore, it also gives test samples to interested clients.

The vendor also created a Telegram channel to post Stealc’s new version changelogs. The most recent of which is v1.3.0, which was issued on February 11, 2023. Every week, a new version of the virus is released into the channel.

Plymouth claims Stealc was not created from scratch, but instead founded on stealers such as Vidar, Raccoon, Mars, and Redline.

Online security website researchers discovered Stealc has commonalities with Vidar, Raccoon, and Mars info stealers. They all download valid third-party DLLs (e.g. sqlite3.dll, nss3.dll) to aid in the theft of sensitive data.

Security service website researchers studied the command and control (C2) communications of one of the samples, it resembled other info stealers.

The researchers detected more than 40 Stealc C2 servers and dozens of copies were detected in the wild. It showed that the new virus has piqued the interest of the cybercriminal community.

Its popularity is attributed to the fact that customers can access the administration panel can create fresh stealer samples. In addition, this has increased the likelihood of the virus spreading to a larger audience.

Despite its inadequate revenue model, Stealc poses a major threat since less technically savvy crooks can utilize it.

The functions of Stealc

Since its first release in January, Stealc has introduced additional features. Such as a mechanism to randomize C2 URLs, better log searching and sorting system, and exclusion for victims in Ukraine.

SEKOIA was able to confirm the following features by evaluating the collected sample:

• 80KB lightweight construction
• Usage of authorized third-party DLLs
• Built-in C and taking advantage of Windows API features
• The majority of strings are obfuscated using RC4 and base64.
• The virus automatically exfiltrates stolen data. It targets 22 online browsers, 75 plugins, and 25 desktop wallets.

The current SEKOIA report does not include all the reverse engineering data. Stealc, on the other hand, gives an outline of the essential phases in its implementation.

The malware deobfuscates its strings and conducts anti-analysis checks to prevent it from executing in a virtual environment.

Following that, it dynamically loads WinAPI routines and connects to the C2 server. Then it delivers the victim’s hardware identification, and build name in the first message and receives a configuration in return.

Stealc then gathers data from the targeted browsers, extensions, and apps. As well as run its customizable file grabber if it is enabled, before exfiltrating everything to the C2. After completing this phase, the malware deletes itself and all downloaded DLL files from the infected host.

Another method of dissemination is through YouTube videos demonstrating how to install cracked software and connecting to a download page.

According to the researchers, the software download contains the Stealc information stealer. The virus begins its routine and connects with its server when the installation is executed.

To sum up

SEKOIA has shared a large set of indicators of compromise that businesses can use to defend their digital assets. As well as YARA and Suricata rules to detect malware based on decryption routines, specific strings, and behavior. Users are advised to avoid installing pirated software and to download products only from the official developer’s website.