A new infostiller called Stealc has appeared in the Darknet, which is gaining momentum due to aggressive promotion of data strokes and similarities with malicious Vidar, Raccoon, Mars and Redline.
Safety researchers from Sekoia, which is detected by cyberosis, revealed a new strain of malware in January of this year, and the peak of its activity came in February.
Stealc was advertised at hacker forums by a Russian -speaking user under the nickname “Plymouth”. The hacker described the wide features of the program for theft of data, and also noted a simple administration panel to use.
Message at a hacker forum, advertising the harmfulness of Stealc
According to Plymouth, in addition to the usual targeting of web browser data, extensions and cryptocurrency wallets, Stealc can also be configured to any types of user files that the operator wishes to steal. The author openly stated that the development of Stealc used the developments of popular malicious Vidar, Raccoon, Mars and Redline. The program also advanced in closed Telegram channels with the ability to try out test samples before buying.
Researchers discovered one common feature that combines Stealc with the above Vidar, Raccoon, Mars and Redline. All of them load legitimate third -party “dll “libraries (for example, sqlite3.dll, NSS3.dll) for abduction of user files.
Sekoia researchers have discovered more than 40 active Stealc C2-servers and several dozen copies in the wild (ITW). This indicates that the new malicious program attracted the considerable interest of the Cybercrimans community.
When deploying, the malicious program develops its lines and performs anti -analytical checks to make sure that it is not launched in a virtual or isolated environment. Then it dynamically loads Winapi functions and initiates a connection with the C2 server, sending the victim’s hardware identifier and the name of the assembly, receiving the desired configuration in response.
After that, Stealc collects data from all target browsers, extensions and applications, launches the capture of user files, and then unloads them to the C2 server. After the completion of this stage, the malicious program removes itself and the DLL-files loaded with the device to erase any traces of infection.
One of the proper methods observed is the phishing websites, on which potential victims were invited to download hacked software. Of course, the malware of Stealc was built into this software.
Sekoia also shared a large set of compromise indicators that can use antivirus products to add malicious software to their databases.
Given the observed method of spreading malicious, users are recommended to avoid installing pirate software and load any products only from official sites.