Researchers at Sekoia, a cyber threat intelligence company, have revealed that a more sophisticated new information stealer called "Stealc" has been programmed by a black hat called Plymouth. They first spotted the malware in January, when it was advertised and auctioned on hacker social platforms, and noticed that the free preview version was going viral on the dark web.
While analysing the properties, features and characteristics of this malware, the researchers found that it shares similarities with malware of the same type, such as Vidar, Raccoon, Mars and Redline, notable for targeting and stealing web browser data, cryptocurrency wallet extensions and information from additional applications, including email clients and messenger software. One of the rare features of Stealc is that it is a modified form of similar malware, and has a customisable file grabber to target a specific file that the operator wishes to steal.
Plymouth, the manufacturer, has added new features to Stealc after the first version. Sekoia researchers, after analysing the captured sample, made the following findings:
- Stealc is a lightweight build of only 80KB
- uses legitimate third-party DLLs
- written in C and abusing Windows API functions
- most strings are obfuscated with RC4 and base64
- it targets 22 web browsers, 75 plugins, and 25 desktop wallets, and lastly
- Stealc hijacks stolen data automatically.
Plymouth exclusively programmed the malware and set up a telegram channel where he published weekly change logs for new versions of Stealc. He has also given his clients access to the malware's administration panel, which allows them to easily create new Stealc samples.
The unfortunate aspect of this malware is that it is available on the Dark Web, and less experienced hackers are using it to launch a sophisticated attack on a mass scale. Sekoia warns companies and individuals to be wary of the malware and to keep their security systems updated to avoid falling victim.