This new malware has emerged from the dark web and is after your data
>
Experts have warned of new information-stealing malware circulating the dark web to garner both new customers and victims.
SEKOIA cybersecurity researchers came across multiple advertisements, on various underground forums and Telegram groups promoting a new infostealer called Stealc.
Apparently, Stealc wasn’t built from scratch, but rather an upgrade from other more popular info stealers, such as Vidar, Racoon, Mars, and Redline Stealer, which were first spotted in January 2023, but gained traction the following month.
Weekly updates
Stealc is built and advertised by a threat actor who goes by the name “Plymouth”. It is currently on version 1.3.0 and seems to be getting new tweaks and upgrades at least once a week.
Some of the newly added features include a C2 URL randomizer and an improved log search and sort system. Stealc was also seen sparing people from Ukraine.
After further analyzing an example of the infostealer, SEKOIA found that it uses legitimate third-party DLLs, that it is written in C and abuses Windows API functions, that it is lightweight (only 80 KB), that it obfuscates most strings with RC4 and base64, and that it automatically exfiltrates stolen files (requiring no threat actor action).
SEKOIA has also discovered that Stealc can steal data from 22 web browsers, 75 plugins and 25 desktop wallets.
In addition to advertising on the dark web, Plymouth was also busy using it to target endpoints (opens in new tab). One of the ways they do this is by creating fake YouTube tutorials on how to crack software and putting a link in the description that, instead of the advertised crack, uses the infostealer.
More than 40 C2 servers have been discovered so far, leading the researchers to conclude that Stealc is becoming quite popular. Its popularity, they speculate, stems from the fact that crooks with access to the admin panel can easily generate new stealer samples, increasing its reach.
SEKOIA believes that Stealc can become quite popular as it can also be used by low-level hackers.
Through: Beeping computer (opens in new tab)