Cybersixgill recently observed a new stealer called Stealc on multiple underground forums. This malware was developed using established stealers, such as Vidar and Raccoon, boasting powerful capabilities that increase the threat of credential theft and fraud.
A new information stealer malware called Stealc is taking the underground by storm and gaining popularity among cybercriminals. Described as a full-featured ready-to-use stealer1, Stealc was developed based on other popular stealer malware, such as Vidar2, Raccoon3, Mars4, and RedLine5. According to security researchers, more than 40 samples of Stealc were shared in the wild, along with 35 related Command & Control (C2) servers, indicating its rapid ascent in the cybercriminal community. Written in the C programming language, Stealc can extract sensitive information from various applications, including web browsers, email clients, messaging apps, and even cryptocurrency wallets. Threat actors can use this data to commit cyber attacks, network intrusions, and fraud.
Moreover, the stealer offers a customizable extraction module, which users can configure to extract specific files, and it also incorporates loader capabilities to deliver additional payloads on compromised devices. Security researchers have speculated – with a high degree of confidence – that Stealc’s apparent creator established their reputation as a trustworthy threat actor on the underground. To that end, it appears that Stealc also quickly earned the trust of cybercriminals who use stealers on a regular basis.
HOW IT WORKS
Stealc is deployed on victims’ systems through various distribution channels, including malicious YouTube videos posted from compromised accounts, leading to a website promoting pirated software ("rcc-software[.]com").
Since Stealc gives users access to an administration panel build to operate the stealer’s C2 server and create their own samples, it would not be surprising to see this build eventually leaked on the underground. While various stealer malware already exists, Stealc’s features make it a valuable new addition to the cybercriminal landscape. Security professionals should thus keep a close eye on this new edition to the stealer category.
Cybersixgill observed Stealc generating significant buzz among cybercriminals, including a post on a notorious Russian-language cybercrime forum advertising the new stealer. The ad was posted by a Russian-speaking threat actor observed advertising Stealc on multiple other cybercriminal forums.
In the February 11, 2023 post below, the forum member introduced Stealc and claimed to be one of its developers, acknowledging reliance on other popular stealers during the malware’s creation. Among Stealc’s key features, according to the forum member, is its ability to pull all listings of browsers, web plugins, and cryptocurrency wallets from their management servers. Moreover, the database collection of required browsers, web plugins, and wallets can be modified without affecting the stealer build.
Another one of Stealc’s critical features is that it does not create archives on the client side, enabling each stolen file to be sent to the user’s server in a separate request. This ensures that even if a victim’s antivirus solution detects malicious behavior at runtime, portions of the stolen data will already be stored on the server.
Among the data, Stealc collects by default is sensitive information from over 23 web browsers, over 70 plugins, more than 15 desktop wallets, instant messenger applications (Telegram, Discord, TOX, Pidgin), and email clients (Microsoft Outlook, Thunderbird), among other sources. The forum member also shared additional Stealc-supported features and shared screenshots of successful credentials extractions, as depicted in the image below.
The forum member offered the following subscription-based pricing model: (1) a monthly license for $200, (2) a three-month license for $500, and (3) a six-month license for $800. The forum member also promised high-quality support for all issues, assistance in installing and configuring the software, and a “friendly adviser” service for customers’ additional projects.
The forum member directed potential customers to reach out via private message, Telegram, Jabber, or TOX, offering to use a guarantor for purchases. In response, another forum member vouched for Stealc’s capabilities.
Figure 1: A Russian cybercrime forum member promotes Stealc
Figure 2: Screenshot of successful email credentials stolen by Stealc
Stealc is gaining popularity at an alarming rate, sparking concerns in the security industry, and given its advanced capabilities, Stealc is a potential competitor of other established malware. Indeed, Stealc can allegedly extract sensitive information from various applications, including web browsers, email clients, messaging apps, and even cryptocurrency wallets.
In light of the Stealc’s recent emergence and the existence of other powerful stealers, organizations must protect against such threats by implementing multi-factor authentication (MFA) on all login portals, maintaining up-to-date security software, and avoiding downloads from untrustworthy websites. When file execution from questionable sources cannot be avoided, running programs in a secure environment, such as a sandbox or virtual machine, is essential to protect against malicious software designed to steal sensitive data.
1 As its name implies, stealer malware steals sensitive information from infected computers, including login credentials, financial information, session cookies, and information from other programs and websites used by victims. Stealers can be dropped either via phishing emails, malicious and or/compromised websites, cracked software, or as part of supply chain attacks.
2 Vidar is a stealer malware that scrapes credit card numbers/passwords, digital wallets, and other forms of data.
3 Raccoon stealer malware gathers victims’ personal information, including passwords, browser cookies and autofill data, as well as crypto wallet details. Additionally, Raccoon stealer records system information, such as IP addresses and geo-location data.
4 Mars stealer is a data-stealing malware-as-a-service that cybercriminals rent to launch their own attacks. The malware itself is often distributed as email attachments, malicious ads and bundled with torrented files on file-sharing sites.
5 Redline is a stealer malware distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications, such as FileZilla, Discord, Steam, Telegram, and VPN clients.