On February 20, 2023, researchers with Sekoia.io reported the technical details of a new infostealer malware advertised for sale as “Stealc” by developers on dark web criminal forums.
Context
According to the report, “The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars and Redline stealers.”
Technical Details
According to researchers, Stealc communication follows the following process:
- “Stealc first sends the victim’s host HWID (Hardware Identifier) and build name to its C2 server, using a POST request on the server gate (name=”hwid”, name=”build”). The server responds with the base64-encoded configuration
- The malware sends the command browsers to the C2 to retrieve its configuration for data collection from web browsers, using a POST request on the server gate (name=”token”, name=”message” (browsers)). Again, the server responds with the base64-encoded configuration
- Using the same format, it sends the command plugins to the C2 to retrieve its configuration for data collection from web browser extensions, using a POST request on the server gate (name=”token”, name=”message” (plugins)). The server responds with the base64-encoded configuration
- Stealc exfiltrates fingerprint data of the infected host, using a POST request on the server gate (name=”token”, name=”file_name”, name=”file”). The file is named system_info.txt and includes information on network, system summary, user agents, installed apps and process list
- It downloads 7 legitimate third-party DLLs from the C2 server, using GET requests
- Stealc exfiltrates files one by one, using POST requests on the server gate (name=”token”, name=”file_name”, name=”file”). Files collected and exfiltrated by the malware correspond to those defined in the received configuration
- It sends the command wallets to the C2 to retrieve its configuration for data collection from desktop cryptocurrency wallets, using a POST request on the server gate (name=”token”, name=”message” (wallets)). Again, the server responds with the base64-encoded configuration
- It also sends the command files to the C2 to retrieve its configuration for the file grabber, using a POST request on the server gate (name=”token”, name=”message” (files)). The server responds with the base64-encoded configuration
- Again, it exfiltrates the collected data using the same pattern as previously described in step 6 (name=”token”, name=”file_name”, name=”file”). With the previous configuration, the file files\DESKTOP\SwitchSearch.txt is collected and exfiltrated by the malware
- Finally, Stealc obfuscated data includes the file path or the Windows Registry key related to sensitive data of Discord, Telegram, Tox, Outlook and Steam. The malware gathers the targeted files and exfiltrates then with the same pattern as described before
- Once the malware finishes retrieving all configurations and exfiltrating collected data, it sends the command done using a POST request on the server gate (name=”token”, name=”message” (done))”
Detection Options
Sekoia.io researchers provided the following YARA rules:
rule infostealer_win_stealc {
meta:
malware = “Stealc”
description = “Find standalone Stealc sample based on decryption routine or characteristic strings”
source = “SEKOIA.IO”
reference = “https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/”
classification = “TLP:CLEAR”
hash = “77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d”
strings:
$dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function
$str01 = “——” ascii
$str02 = “Network Info:” ascii
$str03 = “- IP: IP?” ascii
$str04 = “- Country: ISO?” ascii
$str05 = “- Display Resolution:” ascii
$str06 = “User Agents:” ascii
$str07 = “%s\\%s\\%s” ascii
condition:
uint16(0) == 0x5A4D and ($dec or 5 of ($str*))
}
Sekoia.io researchers provided the following VirusTotal Livehunt rules:
import “vt”
rule infostealer_win_stealc_behaviour {
meta:
malware = “Stealc”
description = “Find Stealc sample based characteristic behaviors”
source = “SEKOIA.IO”
reference = “https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/”
classification = “TLP:CLEAR”
hash = “3feecb6e1f0296b7a9cb99e9cde0469c98bd96faed0beda76998893fbdeb9411”
condition:
for any cmd in vt.behaviour.command_executions : (
cmd contains “\\*.dll”
) and
for any cmd in vt.behaviour.command_executions : (
cmd contains “/c timeout /t 5 & del /f /q”
) and
for any c in vt.behaviour.http_conversations : (
c.url contains “.php”
)
}
Sekoia.io researchers provided the following Suricata rules:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”SEKOIA.IO Malware Stealc POST request: hwid, build”; \
flow:established,to_server; http.method; content:”POST”; http.uri; content:”.php”; depth:21; http.content_type; \
content:”multipart/form-data|3B| boundary=—-“; http.request_body; content:”Content-Disposition: form-data|3B| name=|22|hwid|22|”; \
offset: 26 ; depth: 45; content:”Content-Disposition: form-data|3B| name=|22|build|22|”; reference:url, \
blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; \
classtype:trojan-activity; sid:001; rev:1; metadata:created_at 2023_02_17, updated_at 2023_02_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”SEKOIA.IO Malware Stealc POST request: token, message”; \
flow:established,to_server; http.method; content:”POST”; http.uri; content:”.php”; depth:21; http.content_type; \
content:”multipart/form-data|3B| boundary=—-“; http.request_body; content:”Content-Disposition: form-data|3B| \
name=|22|token|22|”; offset: 26 ; depth: 46; content:”Content-Disposition: form-data|3B| name=|22|message|22|”; \
threshold: type limit, track by_src, seconds 180, count 1; reference:url, \
blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; \
classtype:trojan-activity; sid:002; rev:1; metadata:created_at 2023_02_17, updated_at 2023_02_17;)
TTPs
Sekoia.io researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs):
Tactic | Technique |
|
|
Execution | T1059.003 – Command and Scripting Interpreter: Windows Command Shell |
Execution | T1106 – Native API |
Execution | T1129 – Shared Modules |
Defence Evasion | T1027 – Obfuscated Files or Information |
Defence Evasion | T1027.007 – Obfuscated Files or Information: Dynamic API Resolution |
Defense Evasion | T1036 – Masquerading |
Defense Evasion | T1055 – Process Injection |
Defense Evasion | T1070 – Indicator Removal: File Deletion |
Defense Evasion | T1140 – Deobfuscate/Decode Files or Information |
Defense Evasion | T1622 – Debugger Evasion |
Credential Access | T1539 – Steal Web Session Cookie |
Credential Access | T1552.001 – Unsecured Credentials: Credentials In Files |
Credential Access | T1555.003 – Credentials from Password Stores: Credentials from Web Browsers |
Discovery | T1012 – Query Registry |
Discovery | T1016 – System Network Configuration Discovery |
Discovery | T1057 – Process Discovery |
Discovery | T1082 – System Information Discovery |
Discovery | T1083 – File and Directory Discovery |
Discovery | T1518 – Software Discovery |
Discovery | T1614 – System Location Discovery |
Collection | T1005 – Data from Local System |
Collection | T1113 – Screen Capture |
Collection | T1119 – Automated Collection |
Collection | T1132.001 – Data Encoding: Standard Encoding |
Command and Control | T1071.001 – Application Layer Protocol: Web Protocols |
Command and Control | T1105 – Ingress Tool Transfer |
Exfiltration | T1020 – Automated Exfiltration |
Exfiltration | T1041 – Exfiltration Over C2 Channel |
IOCs
Sekoia.io Researchers provided the following indicators of compromise (IOCs):
Indicator | Type | Notes |
185.143.223[.]136 | IP Address | C2 Server |
94.131.99[.]185 | IP Address | C2 Server |
65.109.131[.]183 | IP Address | C2 Server |
45.87.153[.]50 | IP Address | C2 Server |
179.43.162[.]94 | IP Address | C2 Server |
194.87.31[.]146 | IP Address | C2 Server |
94.142.138[.]11 | IP Address | C2 Server |
23.88.116[.]117 | IP Address | C2 Server |
95.217.143[.]99 | IP Address | C2 Server |
185.242.87[.]149 | IP Address | C2 Server |
194.4.51[.]160 | IP Address | C2 Server |
5.75.138[.]201 | IP Address | C2 Server |
185.130.46[.]214 | IP Address | C2 Server |
167.235.62[.]105 | IP Address | C2 Server |
185.247.184[.]7 | IP Address | C2 Server |
179.43.162[.]89 | IP Address | C2 Server |
91.228.225[.]46 | IP Address | C2 Server |
179.43.162[.]2 | IP Address | C2 Server |
77.246.156[.]93 | IP Address | C2 Server |
84.246.85[.]80 | IP Address | C2 Server |
185.5.248[.]95 | IP Address | C2 Server |
146.70.161[.]51 | IP Address | C2 Server |
85.239.54[.]29 | IP Address | C2 Server |
91.215.85[.]188 | IP Address | C2 Server |
77.91.124[.]7 | IP Address | C2 Server |
37.120.238[.]190 | IP Address | C2 Server |
37.220.87[.]65 | IP Address | C2 Server |
45.136.49[.]247 | IP Address | C2 Server |
45.136.50[.]69 | IP Address | C2 Server |
45.136.51[.]61 | IP Address | C2 Server |
45.144.29[.]176 | IP Address | C2 Server |
65.109.3[.]34 | IP Address | C2 Server |
94.142.138[.]48 | IP Address | C2 Server |
95.216.112[.]83 | IP Address | C2 Server |
195.74.86[.]37 | IP Address | C2 Server |
162.0.238[.]10 | IP Address | C2 Server |
666palm[.]com | URL | C2 Server |
777palm[.]com | URL | C2 Server |
aa-cj[.]com | URL | C2 Server |
fff-ttt[.]com | URL | C2 Server |
moneylandry[.]com | URL | C2 Server |
hxxp://146.70.161[.]51/273d9c8034a95cb4. | URL | C2 |
hxxp://176.124.192[.]200/bef7fb05c9ef6540.php | URL | C2 |
hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php | URL | C2 |
hxxp://185.5.248[.]95/api.php | URL | C2 |
hxxp://666palm[.]com/bca98681abf8e1ab.php | URL | C2 |
hxxp://777palm[.]com/bef7fb05c9ef6540.php | URL | C2 |
hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php | URL | C2 |
hxxp://95.216.112[.]83/413a030d85acf448.php | URL | C2 |
hxxp://aa-cj[.]com/6842f013779f3d08.php | URL | C2 |
hxxp://fff-ttt[.]com/984dd96064cb23d7.php | URL | C2 |
hxxp://moneylandry[.]com/bef7fb05c9ef6540.php | URL | C2 |
hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php | URL | C2 |
hxxp://185.247.184[.]7/8c3498a763cc5e26.php | URL | C2 |
hxxps://185.247.184[.]7/8c3498a763cc5e26.php | URL | C2 |
hxxp://23.88.116[.]117/api.php | URL | C2 |
hxxp://95.216.112[.]83/413a030d85acf448.php | URL | C2 |
hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php | URL | C2 |
hxxp://185.5.248[.]95/c1377b94d43eacea.php | URL | C2 |
hxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll | URL | C2 |
hxxp://146.70.161[.]51/58d66e64beb49702/mozglue.dll | URL | C2 |
hxxp://146.70.161[.]51/58d66e64beb49702/msvcp140.dll | URL | C2 |
hxxp://146.70.161[.]51/58d66e64beb49702/nss3.dll | URL | C2 |
hxxp://146.70.161[.]51/58d66e64beb49702/softokn3.dll | URL | C2 |
hxxp://146.70.161[.]51/58d66e64beb49702/sqlite3.dll | URL | C2 |
hxxp://146.70.161[.]51/58d66e6 | URL | C2 |
hxxp://162.0.238[.]10/dbe4ef521ee4cc21/freebl3.dll | URL | C2 |
hxxp://162.0.238[.]10/dbe4ef521ee4cc21/mozglue.dll | URL | C2 |
hxxp://162.0.238[.]10/dbe4ef521ee4cc21/msvcp140.dll | URL | C2 |
hxxp://162.0.238[.]10/dbe4ef521ee4cc21/nss3.dll | URL | C2 |
hxxp://162.0.238[.]10/dbe4ef521ee4cc21/softokn3.dll | URL | C2 |
hxxp://162.0.238[.]10/dbe4ef521ee4cc21/sqlite3.dll | URL | C2 |
hxxp://162.0.238[.]10/dbe4ef521ee4cc21/vcruntime140.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/freebl3.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/mozglue.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/nss3.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/softokn3.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/vcruntime140.dll | URL | C2 |
hxxp://185.5.248[.]95/libs/freebl3.dll | URL | C2 |
hxxp://185.5.248[.]95/libs/mozglue.dll | URL | C2 |
hxxp://185.5.248[.]95/libs/msvcp140.dll | URL | C2 |
hxxp://185.5.248[.]95/libs/nss3.dll | URL | C2 |
hxxp://185.5.248[.]95/libs/softokn3.dll | URL | C2 |
hxxp://185.5.248[.]95/libs/sqlite3.dll | URL | C2 |
hxxp://185.5.248[.]95/libs/vcruntime140.dll | URL | C2 |
hxxp://666palm[.]com/54fbf4b9ffe8c98d/freebl3.dll | URL | C2 |
hxxp://666palm[.]com/54fbf4b9ffe8c98d/mozglue.dll | URL | C2 |
hxxp://666palm[.]com/54fbf4b9ffe8c98d/msvcp140.dll | URL | C2 |
hxxp://666palm[.]com/54fbf4b9ffe8c98d/nss3.dll | URL | C2 |
hxxp://666palm[.]com/54fbf4b9ffe8c98d/softokn3.dll | URL | C2 |
hxxp://666palm[.]com/54fbf4b9ffe8c98d/sqlite3.dll | URL | C2 |
hxxp://666palm[.]com/54fbf4b9ffe8c98d/vcruntime140.dll | URL | C2 |
hxxp://777palm[.]com/2ccaf544c0cf7de7/freebl3.dll | URL | C2 |
hxxp://777palm[.]com/2ccaf544c0cf7de7/mozglue.dll | URL | C2 |
hxxp://777palm[.]com/2ccaf544c0cf7de7/msvcp140.dll | URL | C2 |
hxxp://777palm[.]com/2ccaf544c0cf7de7/nss3.dll | URL | C2 |
hxxp://777palm[.]com/2ccaf544c0cf7de7/softokn3.dll | URL | C2 |
hxxp://777palm[.]com/2ccaf544c0cf7de7/sqlite3.dll | URL | C2 |
hxxp://777palm[.]com/2ccaf544c0cf7de7/vcruntime140.dll | URL | C2 |
hxxp://94.142.138[.]48/54982f23330528c2/freebl3.dll | URL | C2 |
hxxp://94.142.138[.]48/54982f23330528c2/mozglue.dll | URL | C2 |
hxxp://94.142.138[.]48/54982f23330528c2/msvcp140.dll | URL | C2 |
hxxp://94.142.138[.]48/54982f23330528c2/nss3.dll | URL | C2 |
hxxp://94.142.138[.]48/54982f23330528c2/softokn3.dll | URL | C2 |
hxxp://94.142.138[.]48/54982f23330528c2/sqlite3.dll | URL | C2 |
hxxp://94.142.138[.]48/54982f23330528c2/vcruntime140.dll | URL | C2 |
hxxp://95.216.112[.]83/5840871afdb84f06/sqlite3.dll | URL | C2 |
hxxp://aa-cj[.]com/1b8df000d02ce631/freebl3.dll | URL | C2 |
hxxp://aa-cj[.]com/1b8df000d02ce631/mozglue.dll | URL | C2 |
hxxp://aa-cj[.]com/1b8df000d02ce631/msvcp140.dll | URL | C2 |
hxxp://aa-cj[.]com/1b8df000d02ce631/nss3.dll | URL | C2 |
hxxp://aa-cj[.]com/1b8df000d02ce631/softokn3.dll | URL | C2 |
hxxp://aa-cj[.]com/1b8df000d02ce631/sqlite3.dll | URL | C2 |
hxxp://aa-cj[.]com/1b8df000d02ce631/vcruntime140.dll | URL | C2 |
hxxp://fff-ttt[.]com/a02fc2187db8cd88/freebl3.dll | URL | C2 |
hxxp://fff-ttt[.]com/a02fc2187db8cd88/mozglue.dll | URL | C2 |
hxxp://fff-ttt[.]com/a02fc2187db8cd88/msvcp140.dll | URL | C2 |
hxxp://fff-ttt[.]com/a02fc2187db8cd88/nss3.dll | URL | C2 |
hxxp://fff-ttt[.]com/a02fc2187db8cd88/softokn3.dll | URL | C2 |
hxxp://fff-ttt[.]com/a02fc2187db8cd88/sqlite3.dll | URL | C2 |
hxxp://fff-ttt[.]com/a02fc2187db8cd88/vcruntime140.dll | URL | C2 |
hxxp://moneylandry[.]com/2ccaf544c0cf7de7/freebl3.dll | URL | C2 |
hxxp://moneylandry[.]com/2ccaf544c0cf7de7/mozglue.dll | URL | C2 |
hxxp://moneylandry[.]com/2ccaf544c0cf7de7/msvcp140.dll | URL | C2 |
hxxp://moneylandry[.]com/2ccaf544c0cf7de7/nss3.dll | URL | C2 |
hxxp://moneylandry[.]com/2ccaf544c0cf7de7/softokn3.dll | URL | C2 |
hxxp://moneylandry[.]com/2ccaf544c0cf7de7/sqlite3.dll | URL | C2 |
hxxp://moneylandry[.]com/2ccaf5 | URL | C2 |
hxxp://94.142.138[.]48/54982f23330528c2/msvcp140.dll | URL | C2 |
hxxp://5.75.138[.]201/9026ac2a280e901d/softokn3.dll | URL | C2 |
hxxp://23.88.116[.]117/libs/sqlite3.dll | URL | C2 |
hxxp://185.247.184[.]7/b00dc1fe53045ca1/sqlite3.dll | URL | C2 |
hxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll | URL | C2 |
hxxp://95.216.112[.]83/5840871afdb84f06/mozglue.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll | URL | C2 |
hxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll | URL | C2 |
hxxp://185.5.248[.]95/libs/mozglue.dll | URL | C2 |
1e09d04c793205661d88d6993 | SHA256 | Standalone sample |
77d6f1914af6caf909fa2a246 | SHA257 | Standalone sample |
87f18bd70353e44aa74d3c2 | SHA258 | Standalone sample |
