StealC malware disguised as an installer is being distributed in large quantities .
It has been confirmed to be downloaded from Discord, GitHub, Dropbox, etc. , and considering previous cases of distribution in a similar manner , it is presumed that the malicious page disguised as a specific program download page will lead to the download URL through several redirects .
StealC malware is an information-stealing malware that steals various important information such as system information, browser, cryptocurrency wallet, Discord, Telegram, and mail client.
The malicious code and operation techniques used are similar to malicious code distributed disguised as existing cracks, but the distribution site is confirmed to be different. The process of distributing crack disguised malware has been introduced several times through this blog, and you can refer to the link below.
- Beware of information-stealing malware that infects when running normal EXE files (DLL Hijacking)
- Disguising S/W downloads and distributing various types of malware
This distribution was unusual in that a very large number of users downloaded the file in a short period of time . There is a high possibility that it was disguised as a famous program in Korea .
The following two types of samples are the most widely distributed and are still in circulation to this day. They have the file names “setup_2024.008.20534_win64_86.exe” and “Setup_21.4_win64_86”, respectively. If you change the file name, no malicious behavior will occur, and this is intended to bypass analysis environments such as sandboxes.
When running malware, a PNG file is downloaded from an image hosting site. This PNG file has a structure in which encoded malicious data is inserted in the middle of the image data. Each malicious code sample had three different site addresses, and the files downloaded from each site were the same.
When decoding the data inside a PNG file, shell code and file binaries necessary for malicious actions are created. When this shell code is executed, it goes through file creation, execution, and various injection processes, and finally the StealC information-stealing malware is executed.
In this process, SysWOW64 sub-normal processes (netsh.exe, more.com) and normal Auto-It processes (WinAPIHObj.au3, DllCall.au3) created in the Temp path are executed, and the StealC malware is injected and executed in the Auto-It process. do. The execution process tree is as follows.
During injection, the ntdll manual mapping technique and Heaven’s Gate technique are used. The former is a method of manually loading ntdll.dll and executing internal functions, and the latter is a technique of executing x64 instructions in a Wow64 process. Both techniques are used to bypass security products and interfere with analysis.
These behavioral characteristics are identical to the malware distributed under the guise of crack that occurred a few weeks ago. The sample distributed at the time was Vidar information stealing malware, and like this sample, it disguised the installer and used file name checking, PNG file downloading, normal process creation and injection, ntdll manual mapping technique, and Heaven’s Gate technique. The image hosting site used to download PNG files is also the same.
At that time, a normal file (imewdbld.exe) included by default in Windows 11 that could only be executed in the corresponding OS environment was created and injected. Therefore, although only the Win11 environment was the target of the attack, the recently distributed StealC sample operates normally even in previous versions of the OS environment.
Vidar malware is also an information-stealing malware that has the characteristic of acquiring C2 addresses by accessing account pages of platforms such as Steam and Telegram. Therefore, C2 may change continuously.
In addition, among the crack camouflaged malware distributed around 5 am today, a sample with C2 identical to the StealC sample in the text was distributed. Different malicious codes with the same operating method and malicious codes with different operating methods but the same C2 are constantly generated and distributed.
They are all presumed to be the same attacker or have a significant relationship, and pose a constant threat to users.
- d58a6009dec024aee176df38d39bc32b (Stealc MD5)
413aa458fb04b7ff1c455cefdb720135 (Stealc MD5) - hxxps://mega[.]nz/file/AhEBmaBI#lyluDB_AcC4qphklfyKhGYHyJnwyRCfvX2UC-zi6YA8 (distribution site)
hxxps://mega[.]nz/file/VWs2HKSQ#PnyLXgyDKNY1REGwFIG2D_K0Vmw8K0z_KM-aVGVEBWI (distribution site) - hxxp://193.143.1[.]226/129edec4272dc2c8.php (Stealc C2)
As malware disguised as installation files is actively distributed, caution is required. When downloading an executable file, you must check that it is the official website domain, and you should not run files downloaded from untrustworthy links.
AhnLab is diagnosing the malware samples introduced in this text as follows.
[IOC Information]
– StealC
- MD5
c935f54929475d06b6d11c746ac64156 (setup_2024.008.20534_win64_86.exe)
d3bbe6f53dec9b65400f6477fb7ad697 (Setup_21.4_win64_86) - URL
hxxps://i.ibb[.]co/FxjS8cy/1492239061.png (PNG)
hxxps://gcdnb.pbrd[.]co/images/ZZsYr33PtdW0.png?o=1 (PNG)
hxxps://pixeldrain [.]com/api/file/Qutj1LyJ (PNG)
hxxps://iili[.]io/JV2qk2p.png (PNG)
hxxps://gcdnb.pbrd[.]co/images/eZYxpEiX6alk.png?o=1 (PNG)
hxxp://193.143.1[.]226/129edec4272dc2c8.php (StealC) - Diagnosis
Infostealer/Win.Stealc.C5598726
Malware.Win.Generic.R638023
–Vidar
- MD5
2c7c25d67a82fd3ab94ec5a84ce0bf9c (S3tup.exe)
56043b1a19ee26f8a1886992a4db63fd (Setap.exe)
a1a3f635d93b9326202bdad56492f68f (Setap.exe) b226d4ea
9a9532321e1b3fec2924ba61(Setap.exe) c7270a045c095dc78da8596c456aedd5
(Set3pCrack.exe)
e5a9d16cf0d3d545add724a27a8e8556(Set3pCrack.exe) - URL
hxxps://gcdnb.pbrd[.]co/images/U8847YouMZ4x.png?o=1 (PNG)
hxxps://i.ibb[.]co/pyz97pz/1094446753.png (PNG)
hxxps://gcdnb .pbrd[.]co/images/TkqrZotY6Ps8.png?o=1 (PNG)
hxxps://i.ibb[.]co/dmyD1nF/2941038318.png (PNG)
hxxps://i.ibb[.]co /c1szv4r/3351445504.png (PNG)
hxxps://i.ibb[.]co/sQxVVvz/648044317.png (PNG)
hxxps://qu[.]ax/JRUO.png (PNG)
hxxps://gcdnb .pbrd[.]co/images/v5x684hwBX2v.png?o=1 (PNG)
hxxps://qu[.]ax/BVmc.png (PNG)
hxxps://i.ibb[.]co/Qk1PrqS/2373180300 .png (PNG)
hxxps://qu[.]ax/CwQB.png (PNG)
hxxps://gcdnb.pbrd[.]co/images/oXcmE8xyi8RR.png?o=1 (PNG)
hxxps://qu [.]ax/Ppkk.png (PNG)
hxxps://qu[.]ax/dpfx.png (PNG)
hxxps://37.27.36[.]6/ (Vidar)
hxxps://t[.] me/hypergog/ (Vidar)
hxxps://142.132.224[.]223:9001/ (Vidar)
hxxps://steamcommunity[.]com/profiles/76561199642171824/ (Vidar)
hxxps://65.109.172[. ]49/ (Vidar) - Diagnosis
Infostealer/Win.Vidar.R635589
Infostealer/Win.LummaC2.R635589