New “Stealc” Malware Builds on Prevalent Infostealers

New infostealer malware advertised on dark web criminal forums.
Malware

On February 20, 2023, researchers with Sekoia.io reported the technical details of a new infostealer malware advertised for sale as “Stealc” by developers on dark web criminal forums.

Context

According to the report, “The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars and Redline stealers.”

Technical Details

According to researchers, Stealc communication follows the following process:

  1. “Stealc first sends the victim’s host HWID (Hardware Identifier) and build name to its C2 server, using a POST request on the server gate (name=”hwid”, name=”build”). The server responds with the base64-encoded configuration
  2. The malware sends the command browsers to the C2 to retrieve its configuration for data collection from web browsers, using a POST request on the server gate (name=”token”, name=”message” (browsers)). Again, the server responds with the base64-encoded configuration
  3. Using the same format, it sends the command plugins to the C2 to retrieve its configuration for data collection from web browser extensions, using a POST request on the server gate (name=”token”, name=”message” (plugins)). The server responds with the base64-encoded configuration
  4. Stealc exfiltrates fingerprint data of the infected host, using a POST request on the server gate (name=”token”, name=”file_name”, name=”file”). The file is named system_info.txt and includes information on network, system summary, user agents, installed apps and process list
  5. It downloads 7 legitimate third-party DLLs from the C2 server, using GET requests
  6. Stealc exfiltrates files one by one, using POST requests on the server gate (name=”token”, name=”file_name”, name=”file”). Files collected and exfiltrated by the malware correspond to those defined in the received configuration
  7. It sends the command wallets to the C2 to retrieve its configuration for data collection from desktop cryptocurrency wallets, using a POST request on the server gate (name=”token”, name=”message” (wallets)). Again, the server responds with the base64-encoded configuration
  8. It also sends the command files to the C2 to retrieve its configuration for the file grabber, using a POST request on the server gate (name=”token”, name=”message” (files)). The server responds with the base64-encoded configuration
  9. Again, it exfiltrates the collected data using the same pattern as previously described in step 6 (name=”token”, name=”file_name”, name=”file”). With the previous configuration, the file files\DESKTOP\SwitchSearch.txt is collected and exfiltrated by the malware
  10. Finally, Stealc obfuscated data includes the file path or the Windows Registry key related to sensitive data of Discord, Telegram, Tox, Outlook and Steam. The malware gathers the targeted files and exfiltrates then with the same pattern as described before
  11. Once the malware finishes retrieving all configurations and exfiltrating collected data, it sends the command done using a POST request on the server gate (name=”token”, name=”message” (done))”

Detection Options

Sekoia.io researchers provided the following YARA rules:

rule infostealer_win_stealc {

   meta:

       malware = “Stealc”

       description = “Find standalone Stealc sample based on decryption routine or characteristic strings”

       source = “SEKOIA.IO”

       reference = “https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/”

       classification = “TLP:CLEAR”

       hash = “77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d”

   strings:

       $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function

       $str01 = “——” ascii

       $str02 = “Network Info:” ascii

       $str03 = “- IP: IP?” ascii

       $str04 = “- Country: ISO?” ascii

       $str05 = “- Display Resolution:” ascii

       $str06 = “User Agents:” ascii

       $str07 = “%s\\%s\\%s” ascii

   condition:

       uint16(0) == 0x5A4D and ($dec or 5 of ($str*))

}

Sekoia.io researchers provided the following VirusTotal Livehunt rules:

import “vt”

rule infostealer_win_stealc_behaviour {

   meta:

       malware = “Stealc”

       description = “Find Stealc sample based characteristic behaviors”

       source = “SEKOIA.IO”

       reference = “https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/”

       classification = “TLP:CLEAR”

       hash = “3feecb6e1f0296b7a9cb99e9cde0469c98bd96faed0beda76998893fbdeb9411”

   condition:

       for any cmd in vt.behaviour.command_executions : (

           cmd contains “\\*.dll”

       ) and

       for any cmd in vt.behaviour.command_executions : (

           cmd contains “/c timeout /t 5 & del /f /q”

       ) and

       for any c in vt.behaviour.http_conversations : (

           c.url contains “.php”

       )

}

Sekoia.io researchers provided the following Suricata rules:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”SEKOIA.IO Malware Stealc POST request: hwid, build”; \

flow:established,to_server; http.method; content:”POST”; http.uri; content:”.php”; depth:21; http.content_type; \

content:”multipart/form-data|3B| boundary=—-“; http.request_body; content:”Content-Disposition: form-data|3B| name=|22|hwid|22|”; \

offset: 26 ; depth: 45; content:”Content-Disposition: form-data|3B| name=|22|build|22|”; reference:url, \

blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; \

classtype:trojan-activity; sid:001; rev:1; metadata:created_at 2023_02_17, updated_at 2023_02_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”SEKOIA.IO Malware Stealc POST request: token, message”; \

flow:established,to_server; http.method; content:”POST”; http.uri; content:”.php”; depth:21; http.content_type; \

content:”multipart/form-data|3B| boundary=—-“; http.request_body; content:”Content-Disposition: form-data|3B| \

name=|22|token|22|”; offset: 26 ; depth: 46; content:”Content-Disposition: form-data|3B| name=|22|message|22|”; \

threshold: type limit, track by_src, seconds 180, count 1; reference:url, \

blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; \

classtype:trojan-activity; sid:002; rev:1; metadata:created_at 2023_02_17, updated_at 2023_02_17;)

TTPs

Sekoia.io researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs):

Tactic

Technique

 

 

Execution

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

Execution

T1106 – Native API

Execution

T1129 – Shared Modules

Defence Evasion

T1027 – Obfuscated Files or Information

Defence Evasion

T1027.007 – Obfuscated Files or Information: Dynamic API Resolution

Defense Evasion

T1036 – Masquerading

Defense Evasion

T1055 – Process Injection

Defense Evasion

T1070 – Indicator Removal: File Deletion

Defense Evasion

T1140 – Deobfuscate/Decode Files or Information

Defense Evasion

T1622 – Debugger Evasion

Credential Access

T1539 – Steal Web Session Cookie

Credential Access

T1552.001 – Unsecured Credentials: Credentials In Files

Credential Access

T1555.003 – Credentials from Password Stores: Credentials from Web Browsers

Discovery

T1012 – Query Registry

Discovery

T1016 – System Network Configuration Discovery

Discovery

T1057 – Process Discovery

Discovery

T1082 – System Information Discovery

Discovery

T1083 – File and Directory Discovery

Discovery

T1518 – Software Discovery

Discovery

T1614 – System Location Discovery

Collection

T1005 – Data from Local System

Collection

T1113 – Screen Capture

Collection

T1119 – Automated Collection

Collection

T1132.001 – Data Encoding: Standard Encoding

Command and Control

T1071.001 – Application Layer Protocol: Web Protocols

Command and Control

T1105 – Ingress Tool Transfer

Exfiltration

T1020 – Automated Exfiltration

Exfiltration

T1041 – Exfiltration Over C2 Channel

 

IOCs

Sekoia.io Researchers provided the following indicators of compromise (IOCs):

Indicator

Type

Notes

185.143.223[.]136

IP Address

C2 Server

94.131.99[.]185

IP Address

C2 Server

65.109.131[.]183

IP Address

C2 Server

45.87.153[.]50

IP Address

C2 Server

179.43.162[.]94

IP Address

C2 Server

194.87.31[.]146

IP Address

C2 Server

94.142.138[.]11

IP Address

C2 Server

23.88.116[.]117

IP Address

C2 Server

95.217.143[.]99

IP Address

C2 Server

185.242.87[.]149

IP Address

C2 Server

194.4.51[.]160

IP Address

C2 Server

5.75.138[.]201

IP Address

C2 Server

185.130.46[.]214

IP Address

C2 Server

167.235.62[.]105

IP Address

C2 Server

185.247.184[.]7

IP Address

C2 Server

179.43.162[.]89

IP Address

C2 Server

91.228.225[.]46

IP Address

C2 Server

179.43.162[.]2

IP Address

C2 Server

77.246.156[.]93

IP Address

C2 Server

84.246.85[.]80

IP Address

C2 Server

185.5.248[.]95

IP Address

C2 Server

146.70.161[.]51

IP Address

C2 Server

85.239.54[.]29

IP Address

C2 Server

91.215.85[.]188

IP Address

C2 Server

77.91.124[.]7

IP Address

C2 Server

37.120.238[.]190

IP Address

C2 Server

37.220.87[.]65

IP Address

C2 Server

45.136.49[.]247

IP Address

C2 Server

45.136.50[.]69

IP Address

C2 Server

45.136.51[.]61

IP Address

C2 Server

45.144.29[.]176

IP Address

C2 Server

65.109.3[.]34

IP Address

C2 Server

94.142.138[.]48

IP Address

C2 Server

95.216.112[.]83

IP Address

C2 Server

195.74.86[.]37

IP Address

C2 Server

162.0.238[.]10

IP Address

C2 Server

666palm[.]com

URL

C2 Server

777palm[.]com

URL

C2 Server

aa-cj[.]com

URL

C2 Server

fff-ttt[.]com

URL

C2 Server

moneylandry[.]com

URL

C2 Server

hxxp://146.70.161[.]51/273d9c8034a95cb4.
phphxxp://162.0.238[.]10/752e382b4dcf5e3f.php

URL

C2

hxxp://176.124.192[.]200/bef7fb05c9ef6540.php

URL

C2

hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php

URL

C2

hxxp://185.5.248[.]95/api.php

URL

C2

hxxp://666palm[.]com/bca98681abf8e1ab.php

URL

C2

hxxp://777palm[.]com/bef7fb05c9ef6540.php

URL

C2

hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php

URL

C2

hxxp://95.216.112[.]83/413a030d85acf448.php

URL

C2

hxxp://aa-cj[.]com/6842f013779f3d08.php

URL

C2

hxxp://fff-ttt[.]com/984dd96064cb23d7.php

URL

C2

hxxp://moneylandry[.]com/bef7fb05c9ef6540.php

URL

C2

hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php

URL

C2

hxxp://185.247.184[.]7/8c3498a763cc5e26.php

URL

C2

hxxps://185.247.184[.]7/8c3498a763cc5e26.php

URL

C2

hxxp://23.88.116[.]117/api.php

URL

C2

hxxp://95.216.112[.]83/413a030d85acf448.php

URL

C2

hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php

URL

C2

hxxp://185.5.248[.]95/c1377b94d43eacea.php

URL

C2

hxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll

URL

C2

hxxp://146.70.161[.]51/58d66e64beb49702/mozglue.dll

URL

C2

hxxp://146.70.161[.]51/58d66e64beb49702/msvcp140.dll

URL

C2

hxxp://146.70.161[.]51/58d66e64beb49702/nss3.dll

URL

C2

hxxp://146.70.161[.]51/58d66e64beb49702/softokn3.dll

URL

C2

hxxp://146.70.161[.]51/58d66e64beb49702/sqlite3.dll

URL

C2

hxxp://146.70.161[.]51/58d66e6
4beb49702/vcruntime140.dll

URL

C2

hxxp://162.0.238[.]10/dbe4ef521ee4cc21/freebl3.dll

URL

C2

hxxp://162.0.238[.]10/dbe4ef521ee4cc21/mozglue.dll

URL

C2

hxxp://162.0.238[.]10/dbe4ef521ee4cc21/msvcp140.dll

URL

C2

hxxp://162.0.238[.]10/dbe4ef521ee4cc21/nss3.dll

URL

C2

hxxp://162.0.238[.]10/dbe4ef521ee4cc21/softokn3.dll

URL

C2

hxxp://162.0.238[.]10/dbe4ef521ee4cc21/sqlite3.dll

URL

C2

hxxp://162.0.238[.]10/dbe4ef521ee4cc21/vcruntime140.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/freebl3.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/mozglue.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/nss3.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/softokn3.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/vcruntime140.dll

URL

C2

hxxp://185.5.248[.]95/libs/freebl3.dll

URL

C2

hxxp://185.5.248[.]95/libs/mozglue.dll

URL

C2

hxxp://185.5.248[.]95/libs/msvcp140.dll

URL

C2

hxxp://185.5.248[.]95/libs/nss3.dll

URL

C2

hxxp://185.5.248[.]95/libs/softokn3.dll

URL

C2

hxxp://185.5.248[.]95/libs/sqlite3.dll

URL

C2

hxxp://185.5.248[.]95/libs/vcruntime140.dll

URL

C2

hxxp://666palm[.]com/54fbf4b9ffe8c98d/freebl3.dll

URL

C2

hxxp://666palm[.]com/54fbf4b9ffe8c98d/mozglue.dll

URL

C2

hxxp://666palm[.]com/54fbf4b9ffe8c98d/msvcp140.dll

URL

C2

hxxp://666palm[.]com/54fbf4b9ffe8c98d/nss3.dll

URL

C2

hxxp://666palm[.]com/54fbf4b9ffe8c98d/softokn3.dll

URL

C2

hxxp://666palm[.]com/54fbf4b9ffe8c98d/sqlite3.dll

URL

C2

hxxp://666palm[.]com/54fbf4b9ffe8c98d/vcruntime140.dll

URL

C2

hxxp://777palm[.]com/2ccaf544c0cf7de7/freebl3.dll

URL

C2

hxxp://777palm[.]com/2ccaf544c0cf7de7/mozglue.dll

URL

C2

hxxp://777palm[.]com/2ccaf544c0cf7de7/msvcp140.dll

URL

C2

hxxp://777palm[.]com/2ccaf544c0cf7de7/nss3.dll

URL

C2

hxxp://777palm[.]com/2ccaf544c0cf7de7/softokn3.dll

URL

C2

hxxp://777palm[.]com/2ccaf544c0cf7de7/sqlite3.dll

URL

C2

hxxp://777palm[.]com/2ccaf544c0cf7de7/vcruntime140.dll

URL

C2

hxxp://94.142.138[.]48/54982f23330528c2/freebl3.dll

URL

C2

hxxp://94.142.138[.]48/54982f23330528c2/mozglue.dll

URL

C2

hxxp://94.142.138[.]48/54982f23330528c2/msvcp140.dll

URL

C2

hxxp://94.142.138[.]48/54982f23330528c2/nss3.dll

URL

C2

hxxp://94.142.138[.]48/54982f23330528c2/softokn3.dll

URL

C2

hxxp://94.142.138[.]48/54982f23330528c2/sqlite3.dll

URL

C2

hxxp://94.142.138[.]48/54982f23330528c2/vcruntime140.dll

URL

C2

hxxp://95.216.112[.]83/5840871afdb84f06/sqlite3.dll

URL

C2

hxxp://aa-cj[.]com/1b8df000d02ce631/freebl3.dll

URL

C2

hxxp://aa-cj[.]com/1b8df000d02ce631/mozglue.dll

URL

C2

hxxp://aa-cj[.]com/1b8df000d02ce631/msvcp140.dll

URL

C2

hxxp://aa-cj[.]com/1b8df000d02ce631/nss3.dll

URL

C2

hxxp://aa-cj[.]com/1b8df000d02ce631/softokn3.dll

URL

C2

hxxp://aa-cj[.]com/1b8df000d02ce631/sqlite3.dll

URL

C2

hxxp://aa-cj[.]com/1b8df000d02ce631/vcruntime140.dll

URL

C2

hxxp://fff-ttt[.]com/a02fc2187db8cd88/freebl3.dll

URL

C2

hxxp://fff-ttt[.]com/a02fc2187db8cd88/mozglue.dll

URL

C2

hxxp://fff-ttt[.]com/a02fc2187db8cd88/msvcp140.dll

URL

C2

hxxp://fff-ttt[.]com/a02fc2187db8cd88/nss3.dll

URL

C2

hxxp://fff-ttt[.]com/a02fc2187db8cd88/softokn3.dll

URL

C2

hxxp://fff-ttt[.]com/a02fc2187db8cd88/sqlite3.dll

URL

C2

hxxp://fff-ttt[.]com/a02fc2187db8cd88/vcruntime140.dll

URL

C2

hxxp://moneylandry[.]com/2ccaf544c0cf7de7/freebl3.dll

URL

C2

hxxp://moneylandry[.]com/2ccaf544c0cf7de7/mozglue.dll

URL

C2

hxxp://moneylandry[.]com/2ccaf544c0cf7de7/msvcp140.dll

URL

C2

hxxp://moneylandry[.]com/2ccaf544c0cf7de7/nss3.dll

URL

C2

hxxp://moneylandry[.]com/2ccaf544c0cf7de7/softokn3.dll

URL

C2

hxxp://moneylandry[.]com/2ccaf544c0cf7de7/sqlite3.dll

URL

C2

hxxp://moneylandry[.]com/2ccaf5
44c0cf7de7/vcruntime140.dll

URL

C2

hxxp://94.142.138[.]48/54982f23330528c2/msvcp140.dll

URL

C2

hxxp://5.75.138[.]201/9026ac2a280e901d/softokn3.dll

URL

C2

hxxp://23.88.116[.]117/libs/sqlite3.dll

URL

C2

hxxp://185.247.184[.]7/b00dc1fe53045ca1/sqlite3.dll

URL

C2

hxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll

URL

C2

hxxp://95.216.112[.]83/5840871afdb84f06/mozglue.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll

URL

C2

hxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll

URL

C2

hxxp://185.5.248[.]95/libs/mozglue.dll

URL

C2

1e09d04c793205661d88d6993
cb3e0ef5e5a37a8660f504c1d36b0d8562e63a2

SHA256

Standalone sample

77d6f1914af6caf909fa2a246
fcec05f500f79dd56e5d0d466d55924695c702d

SHA257

Standalone sample

87f18bd70353e44aa74d3c2
fda27a2ae5dd6e7d238c3d875f6240283bc909ba

SHA258

Standalone sample

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.