Beware, new infostealing Stealc malware emerges

Steac is the name of a new malware that has emerged on the dark web in January 2023. First reported by SEKOIA (via Neowin), Steac is an information stealer that is not completely new, but based on other information stealers, including Vidar, Raccoon and Redline.

In February 2023, SEKOIA found evidence that Stealc was used in attacks on the Internet. More than 40 Stealc Command and Control servers were identified by SEKOIA in February. On the malware side, several dozen Stealc malware samples were found that were distributed in the wild.

Company researchers traced back the first traces of Stealc back to a Dark Web forum post. On January 9, 2023, Stealc was advertised in dark web forums. A detailed description of the malware was provided by the user, which included a list of its capabilities, management and control options, and several technical information.

Steac malware functionality

The information stealer prioritizes certain kinds of data over others by default:

• Popular cryptocurrency wallet web browser extensions, 75 plugins at the time of writing.
• Popular web browsers, about 22 in total.
• Desktop cryptocurrency wallets, 25 wallets at the time.
• Information from email clients and messengers.

Threat actors may customize the data collection, which sets it apart from some of the other information stealers that are sold on the dark web. Stealc includes another component, a customizable file grabber, that is looking for files specified during configuration; this makes it a very powerful and unpredictable tool.

Another component of Stealc is the loader, which is commonly seen in Malware-as-a-Service operations.

On the administrative side, Stealc provides threat actors with a wide range of capabilities and controls. Administrators may use it to set up and customize the malware, download stolen data from the control server, and access data directly. Access options include parsing, displaying, filtering, sorting and analyzing the downloaded data.

SEKOIA notes that log handling is a major aspect of information stealers with Malware-as-a-Service components. Threat actors often attempt to sell log data on dark web marketplaces, which makes a download option essential for that task.

The user who advertised Stealc on the dark web expanded their advertising campaign to other channels, including Telegram groups and exploit hacking forums. They offered free malware demonstrations in order to gain community trust.

In addition to these marketing activities, they also published frequent changelogs to different forums and a dedicated Telegram group. These showcased improvements and new feature additions that were implemented during development. Since January 9, 2023, three major updates were released that introduced features such as random Command and Control URLs, browser history collections, or an logs archive. SEKOAI published a technical analysis of Stealc on its website.

Stealc is currently distributed through various channels. Attacks are ongoing, and a common form involves cracking videos on YouTube that prompt viewers to download a program to their systems. The program includes the Stealc malware, which attempts to infect the system on execution. Malware may also be distributed via Google ads, forum messages and other channels.

SEKOIA expects that Stealc will become widespread in the near time.

As far as protection is concerned, keeping security software up to date is important. Almost equally important is to avoid executing files downloaded from sites that do not have a good reputation. If that needs to be done, it is essential to run these programs either in a sandbox, e.g., Windows Sandbox, or a virtual environment, to protect data on the main system.

Advertisement