Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1

Context

In January 2023, through our Dark Web monitoring routine, Sekoia.io identified a new information stealer advertised as Stealc by its alleged developer, going by the handle Plymouth. The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars and Redline stealers. This information suggests that this newcomer could be a serious competitor to the popular widespread malware families mentioned above.

In early February 2023, Sekoia.io identified a new malware family when tracking infrastructures distributing information stealers. The Command and Control (C2) communications of the associated samples share similarities with those of Vidar and Raccoon. Further analysis by Sekoia.io allowed us to associate this new malware family with Stealc.

The investigation led us to discover several dozens of Stealc samples distributed in the wild, and more than 40 Stealc C2 servers, certainly an indication that this new infostealer became widespread and popular among cybercriminals distributing stealers. Sekoia.io therefore conducted an in-depth analysis of this emerging threat.

This blog post aims at presenting the activities of the Stealc’s alleged developer, a technical analysis of the malware and its C2 communications, and how to track it. We also share details on Stealc capabilities (Annex 1) and an infection chain distributing it (Annex 2).

In a follow-up blog post, we will share a write-up on the reverse engineering of Stealc to take a look at the different techniques implemented by the malware. 

A successful entry into the cybercrime market

First Stealc advertisement

On 9 January, 2023, Plymouth advertised the Stealc information stealer for the first time on XSS and BHF Russians-speaking underground forums. The threat actor published a detailed description of the new malware to list its wide stealing capabilities, the fully featured and well designed administration panel, and some technical characteristics.

By default, Stealc targets sensitive data from most used web browsers, browser extensions for cryptocurrency wallets, desktop cryptocurrency wallets and information from additional applications, including email client and messenger software. Compared to other stealers Sekoia.io analysed, the data collection configuration can be customised to tailor the malware to the customer needs.

Stealc also implements a customisable file grabber, allowing its customers to steal files matching their grabber rules. The stealer also has loader capabilities that would be usually expected for an information stealer sold as a Malware-as-a-Service (MaaS). A complete list of Stealc capabilities is shared in Annex 1.

The administration panel is also fully featured and allows its users (i.e. threat actors distributing the stealer), to:

• set up the malware configuration;
• parse, display, filter, sort and analyse the stolen data;
• download the logs (stolen data) with several options.

Sekoia.io observed that logs handling is a key feature for all information stealers entering the MaaS market. Threat actors are likely to sell the stolen data on logs marketplace and therefore need to download it in a personalised way. In addition, they need to identify and extract the valuable credentials and files from the large amounts of collected data. Thus, we assess Plymouth, the Stealc presumed developer, almost certainly dedicated a great effort to develop the administration panel on sorting and downloading logs features.

Plymouth’s activity carried out in a professional manner

After the first publication on 9 January, 2023 on XSS and BHF, Plymouth continued to advertise its infostealer to reach a larger audience on additional channels, including Exploit hacking forum and Telegram messaging application.

To gain the trust of potential customers, developers often offer free malware tests to cybercrime forum users to collect reviews and possibly positive feedback on their product. This is considered as a guarantee of quality, similarly to a Bitcoin deposit on a cybercrime forum. On some forums, it is even required to make a deposit or have relevant feedback from an administrator, moderator or experienced user to sell a product or service.

As shown in the following figure, Plymouth fulfils both: a 0.02 Bitcoin deposit (around $400 at the time of deposit), and free weekly tests offered to XSS users. We assess with high confidence that its alleged developer quickly established itself as a reliable threat actor, and its malware gained the trust of cybercriminals dealing with infostealers.

In addition, Plymouth released several versions of Stealc and published changelogs on different forums, as well as on a dedicated Telegram channel (hxxps://t[.]me/stealc_changelog). The changelogs introduce new features and bug fixes. Main changes for each release are listed in the following figure.

Plymouth’s publications and observed activities indicate that Stealc is under ongoing development with new features added on a weekly basis. While the stealer is already functional and adopted by several threat actors, the developer continues to improve both malware and administration panels, likely to expand its customer base.

Technical analysis

Before analysing Stealc’s execution process and C2 communications, we present how we associate the new malware family with the malware advertised by Stealc.

Malware sample association

In early February 2023, Sekoia.io analysts found a sample of an unknown malware by investigating an infrastructure typically used to distribute stealers (SHA256: a2465fc5059ea57c7b64b1dc01caf8735422a005ddb7fabeddfa3cbc89085ccf, https://tria.ge/230212-pkc69adh37). The sample execution raises two specific characteristics:

• The download of a legitimate third-party DLLs, already observed being abused by stealers (sqlite3.dll, freebl3.dll, mozglue.dll, msvcp40.dll, nss3.dll, softokn3.dll and vcruntime140.dll);
• The execution of a command deleting all DLLs in C:ProgramData.

From these behaviours, we pivoted on dozens of samples that appear to belong to the same malware family using the following query on VirusTotal:

behaviour:"C:ProgramData*.dll" behaviour:"timeout /t 5" behaviour:"sqlite3.dll"

The results returned standalone samples of about 80KB (SHA256: 77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d), we analysed it in depth to corroborate the association of this new malware family to Stealc. Here is a summary of the association of Stealc features as advertised by Plymouth and sample features observed by Sekoia.io.

Based on this comparative table, Sekoia.io analysts assess this new malware family found in the wild matches Stealc infostealer with high confidence.

Technical overview of Stealc sample

Sekoia.io reverse engineered Stealc and will publish an in-depth analysis to share further details. In the meantime, here is an overview of the main steps of Stealc execution.

Once executed, Stealc deobfuscates all its RC4-encrypted and base64-encoded strings. It then compares the system date to the hardcoded date in the obfuscated strings. If the execution occurs after the hardcoded date, the malware stops. This check is likely implemented by the stealer developer to limit the customer’s activity to the licence validity period. 

Stealc also checks for virtual or sandbox environments by comparing the machine name to HAL9TH and the user name to JohnDoe, solely used by Microsoft Defender emulator.

The malware dynamically loads the different WinAPI functions using LoadLibrary and GetProcAddress, and initiates the communication to its C2 server. Here is a step-by-step analysis of the malware communication:

1. Stealc first sends the victim’s host HWID (Hardware Identifier) and build name to its C2 server, using a POST request on the server gate (name=”hwid”, name=”build”). The server responds with the base64-encoded configuration, such as:

2. The malware sends the command browsers to the C2 to retrieve its configuration for data collection from web browsers, using a POST request on the server gate (name=”token”, name=”message” (browsers)). Again, the server responds with the base64-encoded configuration, such as:

3. Using the same format, it sends the command plugins to the C2 to retrieve its configuration for data collection from web browser extensions, using a POST request on the server gate (name=”token”, name=”message” (plugins)). The server responds with the base64-encoded configuration, such as:

4. Stealc exfiltrates fingerprint data of the infected host, using a POST request on the server gate (name=”token”, name=”file_name”, name=”file”). The file is named system_info.txt and includes information on network, system summary, user agents, installed apps and process list.
5. It downloads 7 legitimate third-party DLLs from the C2 server, using GET requests, in the following order:
   • sqlite3.dll
   • freebl3.dll
   • mozglue.dll
   • msvcp40.dll
   • nss3.dll
   • softokn3.dll
   • vcruntime140.dll
6. Stealc exfiltrates files one by one, using POST requests on the server gate (name=”token”, name=”file_name”, name=”file”). Files collected and exfiltrated by the malware correspond to those defined in the received configuration, such as (for a victim host having Mozilla Firefox installed):
   • historyMozilla Firefox_*.default-release.txt
   • autofillMozilla Firefox_*.default-release.txt
   • cookiesMozilla Firefox_*.default-release.txt
     
7. It sends the command wallets to the C2 to retrieve its configuration for data collection from desktop cryptocurrency wallets, using a POST request on the server gate (name=”token”, name=”message” (wallets)). Again, the server responds with the base64-encoded configuration, such as:

8. It also sends the command files to the C2 to retrieve its configuration for the file grabber, using a POST request on the server gate (name=”token”, name=”message” (files)). The server responds with the base64-encoded configuration, such as:

9. Again, it exfiltrates the collected data using the same pattern as previously described in step 6 (name=”token”, name=”file_name”, name=”file”). With the previous configuration, the file filesDESKTOPSwitchSearch.txt is collected and exfiltrated by the malware.
10. Finally, Stealc obfuscated data includes the file path or the Windows Registry key related to sensitive data of Discord, Telegram, Tox, Outlook and Steam. The malware gathers the targeted files and exfiltrates then with the same pattern as described before.
11. Once the malware finishes retrieving all configurations and exfiltrating collected data, it sends the command done using a POST request on the server gate (name=”token”, name=”message” (done)).

Stealc C2 communications are verbose when the infected host has multiple web browsers, extensions, desktop wallets or files matching the collection configuration.

Once the data collection process is done, the malware removes itself and the downloaded DLL files from the compromised host by executing the following command:

Tracking Stealc in its many forms

Standalone samples

An efficient way to detect the Stealc standalone samples consists in writing a YARA rule on the specific strings which are not obfuscated (those which were added in the v1.2.0 Stealc release).

For this purpose, we compare the common strings embedded in all the Stealc standalone samples. Here are the characteristic strings included in all standalone samples:

We can also sign the malware function that loops over the obfuscated strings to deobfuscate them. A YARA rule based on both methods is shared in IoCs & Technical Details.

Packed samples

YARA signatures based on the malware strings or functions are not efficient when the sample is packed using a commercial packer, a custom loader, embedded in a shellcode, or else. In that scenario, dynamic detection is a valid option.

To this end, we can use a YARA rule for VirusTotal Livehunt to detect the specific commands executed by Stealc or the specific C2 communications, including:

As we did above to pivot on this malware family, we can correlate these specific behaviours in a YARA rule using VirusTotal Livehunt. A YARA rule is shared in IoCs & Technical Details.

C2 servers

Tracking the Stealc C2 servers can be done using the HTTP and HTML default responses which seem to be characteristic. Most of the scanned C2 servers responds an HTTP 200 status code with an HTML page containing a “404 Forbidden” Apache server on the port 80, as shown below:

To confirm that a server matching this specific HTML response and an HTTP 200 status code corresponds to a Stealc C2 server, we can scan some URIs opened on Stealc servers, such as “/modules/” and “/index.php/”.

At the time of writing, Sekoia.io found 35 active servers associated with Stealc C2 with high confidence (listed below in IoCs & Technical Details), and more than 40 Stealc samples.

Conclusion

Stealc is another fully featured infostealer sold as a MaaS which emerged on underground forums in early 2023. Plymouth drew on the today’s trendy infostealers on the market (Vidar, Raccoon, Redline and Mars) to develop a malware that quickly became popular among Russian-speaking cybercriminals.

Since customers of the Stealc MaaS own a build of its administration panel to host the stealer C2 server and generate stealer samples themselves, it is likely that the build will leak into the underground communities in the medium term. For that matter Sekoia.io further assess the Plymouth business possibly will not be viable over several years, as Vidar or Raccoon projects are. However, it is likely that a cracked version of the Stealc build may be released in the future which may be used for many years to come.

However, we expect that the Stealc infostealer will become widespread in the near term, as multiple threat actors add the malware to their arsenal while it is poorly monitored. Companies facing stealer compromise need to be aware of this malware.

To provide our customers with actionable intelligence, Sekoia.io analysts will continue to monitor emerging and prevalent infostealers, including Stealc.

Annex

Annex 1 – Stealc capabilities

Targeted web browsers

Targeted browser extensions

Targeted desktop cryptocurrency wallets

Annex 2 – A Stealc’s infection chain

Sekoia.io observed an infection chain distributing Stealc, that consists in the following steps:

1. YouTube videos on stolen accounts describing how to install a cracked software for free and providing a link (hxxps://rcc-software[.]com/services);
2. From the link provided in the YouTube video, the victim can access a “cracked software catalogue” website;
3. The payload embeds Stealc infostealer. The user downloads it, decompresses the archive using the password 55555 and executes the file “setup.exe” (hxxps://streetlifegaming[.]com/wp-content/uploads/2023/02/Pass_55555_Setup.rar);
4. Stealc communicates to its C2 on 37.220.87[.]65 (https://tria.ge/230212-pkc69adh37).

IoCs & Technical Details

IoCs

The list of IoCs is available on Sekoia.io github repository.

Stealc C2 servers

Stealc C2 URLs

Stealc SHA256 (standalone samples)

More IoCs are available in the Sekoia.io Intelligence Center.

YARA rules

YARA rules are available on Sekoia.io github repository.

Static detection

rule infostealer_win_stealc {
   meta:
       malware = "Stealc"
       description = "Find standalone Stealc sample based on decryption routine or characteristic strings"
       source = "SEKOIA.IO"
       reference = "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/"
       classification = "TLP:CLEAR"
       hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d"

   strings:
       $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function

       $str01 = "------" ascii
       $str02 = "Network Info:" ascii
       $str03 = "- IP: IP?" ascii
       $str04 = "- Country: ISO?" ascii
       $str05 = "- Display Resolution:" ascii
       $str06 = "User Agents:" ascii
       $str07 = "%s%s%s" ascii

   condition:
       uint16(0) == 0x5A4D and ($dec or 5 of ($str*))
}

Dynamic detection using VirusTotal Livehunt

import "vt"

rule infostealer_win_stealc_behaviour {
   meta:
       malware = "Stealc"
       description = "Find Stealc sample based characteristic behaviors"
       source = "SEKOIA.IO"
       reference = "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/"
       classification = "TLP:CLEAR"
       hash = "3feecb6e1f0296b7a9cb99e9cde0469c98bd96faed0beda76998893fbdeb9411"

   condition:
       for any cmd in vt.behaviour.command_executions : (
           cmd contains "*.dll"
       ) and
       for any cmd in vt.behaviour.command_executions : (
           cmd contains "/c timeout /t 5 & del /f /q"
       ) and
       for any c in vt.behaviour.http_conversations : (
           c.url contains ".php"
       )
}

Suricata rules

Suricata signatures are available on Sekoia.io github repository.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"SEKOIA.IO Malware Stealc POST request: hwid, build"; 
flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; depth:21; http.content_type; 
content:"multipart/form-data|3B| boundary=----"; http.request_body; content:"Content-Disposition: form-data|3B| name=|22|hwid|22|"; 
offset: 26 ; depth: 45; content:"Content-Disposition: form-data|3B| name=|22|build|22|"; reference:url, 
blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; 
classtype:trojan-activity; sid:001; rev:1; metadata:created_at 2023_02_17, updated_at 2023_02_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"SEKOIA.IO Malware Stealc POST request: token, message"; 
flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; depth:21; http.content_type; 
content:"multipart/form-data|3B| boundary=----"; http.request_body; content:"Content-Disposition: form-data|3B| 
name=|22|token|22|"; offset: 26 ; depth: 46; content:"Content-Disposition: form-data|3B| name=|22|message|22|"; 
threshold: type limit, track by_src, seconds 180, count 1; reference:url, 
blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; 
classtype:trojan-activity; sid:002; rev:1; metadata:created_at 2023_02_17, updated_at 2023_02_17;)

MITRE ATT&CK TTPs

Discover a demo of our XDR platform

Thank you for reading this blogpost. You can also consult other results of surveys carried out by our analysts on the ecosystem of infostealers :

Source: https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Views: 0