Stealc, A New InfoStealer Based on Vidar and Raccoon

Stealc, A New InfoStealer Based on Vidar and Raccoon

VTA-00436 – Stealc, A New InfoStealer Based on Vidar and Raccoon

Researchers have discovered a new information stealer advertised as Stealc which is being promoted by its alleged developer, Plymouth in the dark web. Stealc is presented as a fully featured and ready-to-use stealer and is based upon commonly used stealers like Vidar, Raccoon, Mars and Redline stealers. It was first seen on 9 January, 2023, when the alleged developer, Plymouth posted an advertisement about the Stealc information stealer on XSS and BHF Russians-speaking underground forums.

In its default setting, Stealc is able to extract sensitive data from most used web browsers, browser extensions for cryptocurrency wallets, desktop cryptocurrency wallets and also other applications like email client and messenger software. It is also advertised as being possible to extract specific data which is tailored to the customer needs. This is due to the implementation of customizable file grabber, which allows the customers to set which files they want to steal.

During the execution of the Stealc malware, it will deobfuscate all its RC4-encrypted and base64-encoded strings. Then, it will check whether the license is still valid through comparing the hardcoded date in the obfuscated string. Immediately after, it will compare the machine name to HAL9TH and user name to JohnDoe, which are used by Microsoft Defender Emulator. The malware dynamically loads the different WinAPI functions using LoadLibrary and GetProcAddress, and initiates the communication to its C2 server.

The stealer works by fetching multiple configurations for stealers from the C2 server, using a POST request, which then receives a base64-encoded configuration, which has details on what to extract. Then, it will download 7 legitimate third-party DLLs from the C2 server using GET request, these are, sqlite3.dll, freebl3.dll, mozglue.dll, msvcp40.dll, nss3.dll, softokn3.dll, vcruntime140.dll. After doing so, it will start to exfiltrate the data one by one, also through a POST request. It is also able to steal from the Windows Registry key, stealing sensitive data of Discord, Telegram, Tox, Outlook and Steam.

The Stealc stealer is very flexible as the the customer can configure the malware to steal specific data, and the administrator control panel is also packed with features like setting up the malware configuration, parse, display, filter, sort and analyze stolen data, and download the stolen data. Lastly, after the malware finishes the exfiltration, it will automatically remove itself and the downloaded DLL files from the compromised host.


Attack Surfaces:
Endpoint OS, Web Browser

Collection, Command and Control, Defense Evasion, Exfiltration

Process Injection, Windows Command Shell, Standard Encoding, Credentials from Web Browsers,  Screen Capture, Masquerading, Process Discovery, Native API, System Network Configuration Discovery, Query Registry, Obfuscated Files or Information, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Credentials In Files, Web Protocols, Shared Modules, Indicator Removal on Host, Steal Web Session Cookie, Data from Local System, Exfiltration Over C2 Channel, System Location Discovery, Automated Collection, Software Discovery, Automated Exfiltration, File and Directory Discovery, System Information Discovery

Active Defense Tactics
Detect, Disrupt

Active Defense Techniques
Baseline, Network Monitoring, Software Manipulation, Standard Operating Procedure

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. Adding the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC to create a custom rule to block the respective File Hashes and Hostname.
2. Enable auto-updates to ensure software/program is always up to date.
3. Antimalware tool should be deployed and regularly updated.
4. IDS/IPS should be configured properly.

Contributed by:  Aman

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>