Rewterz Threat Alert – “Stealc” – An Information Stealer Malware – Active IOCs

Severity

High

Analysis Summary

Stealc is a new malware that was first marketed by an actor named Plymouth on the XSS and BHF Russian-speaking underground forums on January 9, 2023. The malware is written in C and has capability to steal data from web browsers, crypto wallets, email clients, and messaging apps. It is also equipped with a customizable file grabber that allows buyers to tailor the module to siphon files of interest. Stealc implements loader capabilities to deploy additional payloads.

According to researchers, Stealc quickly established itself as a reliable threat actor, and its malware gained the trust of cybercriminals dealing with information stealers. The malware is being distributed through various vectors, including YouTube videos posted from compromised accounts that link to a website peddling cracked software.

• Stealc stealer on XSS

“Since customers of the Stealc MaaS own a build of its administration panel to host the stealer C2 server and generate stealer samples themselves, it is likely that the build will leak into the underground communities in the medium term,”

SEKOIA predicts that the Stealc malware administration panel, which customers of the malware-as-a-service own, will likely leak into underground communities in the medium term. Antivirus vendor Avast lists Stealc as a new addition to the list of most prevalent stealer malware strains, which includes FormBook, Agent Tesla, RedLine, LokiBot, Raccoon, Snake Keylogger, and Arkei (along with its fork Vidar), during Q4 2022.

The discovery of Stealc highlights the ongoing threat posed by information-stealing malware and the importance of remaining vigilant against cyber threats. Individuals and organizations should take proactive steps like using strong passwords and two-factor authentication, regularly updating software and security tools, and being cautious when opening emails or downloading files from unknown sources. It is also important to use antivirus software and other security tools to detect and prevent malware infections.

Impact

• Data Exfiltration
• Credential Theft
• Information Theft
• Financial Loss

Indicators of Compromise

MD5

• 066c9b396600ed176c51b68e1880c7de
• 7ad1f4cf71bd328815108bb4d6a993df
• 84b3cb593bbe32f22e12235086c71cac
• e6ecd31765e348344cd650bb2297e527

SHA-256

• f2b4c728867bcc659b1f180783aa3c748f2ee95f0d2f6ed2fdc13869b1b9f0ff
• 06c6faf5b7bdac61e43a64b8e71a53bf7467acafabb460733866a9eab4540109
• 790eeb5febfc4bcc7aa3b14c3dcd81a4fbd00bf727f0c0cd9623e4d3179fad94
• 320392e748f8128753b6c297ac2beedb2e1fd1d0a3fefddbc212b8a13cceb507

SHA-1

• 8c432cf962b267cfea9abd55c743c3bf6967492b
• 04641db5dab71676f8ea120fd1629b38fc5ca9d4
• ee1a58156ede697ace604902e2a7bf1b0d2fe670
• 7710b7f29c77c22fec6fa5d95573b210ccefd8b7

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets