Search This Blog

Powered by Blogger.

Blog Archive

Labels

Dark Web Malware Steals Your Data

The Vidar malware spin-off is gaining a lot of momentum at the moment.

 


As the dark web seeks new customers and victims, it appears that updated versions of information-stealing malware have made their way onto it and are now circulating the dark web. 

There have been reports from cybersecurity researchers from SEKOIA that they have found content promoting a new information stealer called Stealc on several underground forums and Telegram channels. 

Unlike some other info stealers, Stealc is not built from the ground up. Instead, it is an enhanced version of others, such as Vidar, Racoon, Mars, and Redline Stealer, which are popular information stealers. In January 2023, a report of the phenomenon was first noticed, but in February 2023, it gained more attention. 

It has been reported that Stealc was developed by a threat actor called Plymouth who is trying to advertise it as an attack against the country. There appears to be a new patch or update added somewhere between once a week and once a month, and it is currently at version 1.3.0.  Several new features have been added to the website, including a randomizer for C2 URLs, and a system that allows logging searches and sorts to be improved. 

There was also a report that the Ukrainian government spared the lives of those affected by Stealc. 

The SEKOIA team was able to analyze a sample of the info stealer in more depth and discovered that it uses legitimate third-party DLLs, is written in C, exploits Windows API functions to achieve its goals, is lightweight (only 80KB), uses RC4 and base64 to obfuscate most of its strings, and automatically exfiltrates stolen files (the threat actor need not do anything to do anything). 

It was also found that Stealc was capable of stealing data from 22 web browsers, 75 plugins, and 25 desktop wallets, which was also confirmed by SEKOIA.  

Plymouth was also busily deploying it to target devices to advertise it on the dark web as well as distributing it. To do so, they create fake YouTube tutorials as well as employ other ways to make it appear like they know how to crack software. The description of the exploit also provides a link that, in place of executing the advertised crack, instead launches the info stealer in place. That's very helpful since it prevents the use of the crack itself. 

The researchers have already discovered more than 40 C2 servers, thus leading them to conclude that Stealc is gaining quite a bit of popularity in the online world. 

They speculate that the popularity of stealer samples may be because crooks that can access the admin panel can easily generate new stealer samples, therefore allowing the range of stealer samples to extend.  SEKOIA believes that Stealc is quite popular since it is suitable for a wide range of hackers, including low-level hackers.   
Share it:

Cyber Security

Cyberattack

CyberCrime

Dark Web

Infostealer

malware

Plymouth

SEKOIA