A new Malware-as-a-Service (MaaS) offering is rapidly getting traction among cybercriminals distributing stealers, and already giving competition to the likes of Raccoon, Vidar, and Redline. Aggressive marketing promotion and the use of several marketing tactics by its developer, such as free trials of the new info-stealer, called Stealc, has caught the attention of several criminals, leading to a detailed analysis by security agencies.
Huge marketing push
The alleged developer of the Stealc malware, known as Plymouth, advertises Stealc as a full-fledged stealer, with a wide range of capabilities and an administration panel that provides complete control over malware configurations.
- The malware spreads via software cracks promoted on youtube videos on stolen accounts.
- The first variant v1.1.0 was released on January 9, while the most recent version is v1.3.0, released on February 11.
- It even maintains a changelog for each new version of the malware, describing the new feature additions and bug fixes, updated almost every week.
- Plymouth started the promotions of the malware on XSS and BHF dark web marketplaces on January 9 and continued to advertise on other platforms, including Telegram channels. To XSS users, it offers free malware to test for a week.
Researchers have already identified more than 40 C2 domains and several dozens of malware samples, hinting that Stealc is already gaining popularity within the cybercrime community.
Malware features
Since January, Plymouth has been continuously updating the malware, adding new features with each release.
- Written in C, the latest variant of Stealc targets several email clients, more than 23 web browsers, over 70 web plugins, and more than 15 desktop wallets.
- It has a lightweight build (just 80KB) and all the strings are obfuscated using RC4 and Base64 algorithms.
- When deployed, it checks for virtual and sandbox environments and abuses legitimate third-party DLLs and Windows API functions to avoid detection.
Further, Plymouth has mentioned that it has leveraged features from several other malware, including Vidar, Raccoon, Mars, and Redline stealers. This includes abuse of legitimate third-party DLLs (sqlite3.dll and nss3.dll), and similar C2 communications.
Concluding notes
Stealc info-stealer can be called a combination of all the trendy features of already-established malware. Additionally, Plymouth is providing frequent updates and bug fixes, which further increases the likelihood of rapid adoption by cybercriminals. Experts predict that this info-stealer will become a widespread threat soon. To combat attacks from such info-stealers, organizations are recommended to implement strong security controls with multi-layered visibility and security solutions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/3013_shutterstock_1459263791.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/8368_shutterstock_2252599749.jpg)
