Stealc, a new data stealer that has emerged on the dark web, is gaining popularity largely to heavy marketing of its theft capability and resemblances to related viruses like Vidar, Raccoon, Mars, and Redline.
Researchers at SEKOIA.IO in January 2023 came upon a brand-new information thief called Stealc that was marketed in dark web forums. The info-stealer was created by a threat actor going by the handle Plymouth, who claims it supports a broad range of stealing abilities.
Stealc has been promoted on hacker forums by a user going by the handle "Plymouth," who described the malware as having strong data-stealing abilities and a simple administrative interface.Plymouth released multiple iterations of Stealc and shared changelogs on various message boards and a dedicated Telegram channel.
Several Stealc samples were discovered in the wild in February by specialists; these samples resembled raccoons and vidars. More than 40 Stealc C2 servers were found by SEKOIA, indicating the malware's rising ubiquity among cybercriminals that distribute stealers. Considering users who have access to the administration panel can create fresh stealer samples, which raises the likelihood that the virus will spread to more people, this popularity may be explained.
Stealc's functionality
Stealc is capable of stealing private information from widely used online browsers, desktop cryptocurrency wallets, browser extensions for cryptocurrency wallets, and other software including email and instant messaging clients. Stealc implements a programmable data gathering setup and supports a programmable file grabber, in contrast to existing stealers.
Stealc gathers information from the victim's browser, extensions, and programs. If the grabber rules are activated, it also captures files that fit those rules. The malware then deletes both itself and the downloaded DLL files from the infected system after data have been sent to the C2.
The malware is spread by attackers via YouTube videos. Together with links to a download site, the videos offer instructions on how to set up cracked software. This website is used to deceive the victims into downloading malware-filled software. With the use of YARA and Suricata rules, SEKOIA published signals of compromise (IoCs) for such a threat.
