Infostealer is actively advertised by cybercriminals, supporting 23 browsers, 70 web plugins and 15 crypto wallets.
There is a new infostealer on the darknet called Stealc that is gaining traction thanks to its aggressive promotion of data theft capabilities and similarities to Vidar, Raccoon, Mars and Redline malware.
Security researchers from cyber threat detection company SEKOIA identified a new strain of malware in January of this year, and its activity peaked in February.
Stealc was advertised on hacker forums by a Russian-speaking user under the nickname "Plymouth". The hacker described the broad capabilities of the program for stealing data, and also noted the easy-to-use administration panel.
In addition to the usual targeting of web browser data, extensions and cryptocurrency wallets, Stealc can also be configured to target any types of user files that an operator wishes to steal, according to Plymouth. The author openly stated that the development of Stealc used the developments of the popular malware Vidar, Raccoon, Mars and Redline. The program was also promoted in closed Telegram channels with the opportunity to try out test samples before buying.
The researchers found one thing in common that shares Stealc with the aforementioned Vidar, Raccoon, Mars and Redline. They all load legitimate third-party ".dll" libraries (eg sqlite3.dll, nss3.dll) to steal user files.
SEKOIA researchers found more than 40 active Stealc C2 servers and several dozen instances in the wild (ITW). This indicates that the new malware has attracted considerable interest from the cybercriminal community.
When deployed, the malware deobfuscates its strings and performs anti-analytics checks to make sure it is not running in a virtualized or sandboxed environment. It then dynamically loads the WinAPI functions and initiates communication with the C2 server by sending the victim's hardware ID and assembly name, receiving the desired configuration in response.
After that, Stealc collects data from all target browsers, extensions and applications, starts capturing user files, and then uploads them to the C2 server. Once this stage is complete, the malware deletes itself and the DLLs it downloaded from the device to erase any traces of the infection.
One of the distribution methods that researchers have observed is phishing websites that offer potential victims to download hacked software. Of course, Stealc malware was built into this software.
SEKOIA also shared a large set of indicators of compromise that antivirus companies can use to add malware to their databases.
Given the way malware is being distributed, users are advised to avoid installing pirated software and only download any products from official websites.