Stealc Malware Steals Passwords & Credit Cards From Chrome

   November 14, 2023  Posted in CyberSecurityNews


Malware that secretly gathers private information from a victim’s computer is called an information stealer. 

They employ several techniques like Encryption, Polymorphic code, and Evasive behaviors to keep their stealth active.

EHA

Hackers use these tools for illicit purposes to facilitate:-

  • Identity theft
  • Financial fraud
  • Unauthorized access to accounts
  • Corporate espionage
  • Financial gain
  • Sold on the dark web

Cybersecurity researcher Aziz Farghly recently discovered an infostealer, “Stealc.” Plymouth has promoted Stealc, a new non-resident stealer, on Russian forums since January 9, 2023, offering it as Malware-as-a-Service. Stealc, with adjustable data settings, evolves alongside other top stealers.

Here below, we have mentioned those top stealers:-

  • Vidar
  • Raccoon
  • Mars
  • Redline

Stealc Malware Steals Passwords

Stealc efficiently exfiltrates diverse data by directly sending it to the C2 server, skipping raw file storage. This streamlined process enhances stealth and makes it a powerful tool for operations that are covert.

Initial analysis of Stealc malware revealed issues in IDA and X64 Dbg code. Stealc employs Opaque for control flow complexity, transforming a JMP into conditional jumps (JZ/JNZ) based on a value.

Conditional jumps (Source - GitHub)
Conditional jumps (Source – GitHub)

The first dword in the decryption-wrapping function is used as the key for RC4 decryption of the malware configuration, which is initially encoded with base64.

Stealc dynamically resolves APIs using GetProcAddr(), requiring a 6-structure process. It obtains the PEB address by accessing the Ldr structure and gets InLoadOrderModuleList, a LinkedList of loaded modules.

Document

Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.


Here, the Ntdll.dll is the first module that is followed by kernel32.dll. Stealc then accesses the kernel32.dll structure, obtaining the base address from the element at 0x18.

In the ‘mw_play_with_mem()’ function, Stealc checks emulation with VirtualAllocExNuma API, exiting if emulated. In ‘mw_Check_system_memory()’, it assesses physical memory with GlobalMemoryStatusEx, ensuring it’s over 2 GB.

Stealc then verifies if it is running on Windows Defender by comparing computer and user names. It exits if executed after a fixed time, determined by GetSystemTime. 

It avoids infecting certain countries based on political issues, checking Language IDs, and skipping matches.

After initial checks, Stealc verifies its running status using OpenEventA, creating a new event with a unique name if it’s the first run. 

Following AV checks, API loading, and config decryption, Stealc engages in normal behavior. It communicates with C2 www[.]fff-ttt[.]com, identifying the victim machine by ‘C’ Drive Serial number. 

It generates unique IDs for each packet, then it communicates using InternetOpenA, and decodes responses with Win API CryptStringToBinaryA, calling it twice for buffer sizing.

Generate Packet ID (Source - GitHub)
Generate Packet ID (Source – GitHub)

Stealc then configures to steal the following browser databases utilizing mw_parse_configuration:-

  • Chromium
  • Mozilla-based
  • Opera

It requests plugins from C2, gathers system/hardware info, encodes data, and downloads Sqlite3 Dll for Chrome data retrieval. After checking file correctness, Stealc gets API addresses from Chrome databases. 

C2 provides file names for cryptocurrency wallet and password file exfiltration. Stealc employs COM for handling ShellLinks, ensuring original files are copied.

Stealing Abilities

Here below we have mentioned all the stealing abilities of the Stealc stealer:-

  • Logins, credit cards, cookies, and History saved in Chrome/Firefox/Opera.
  • Wallet Extensions installed on the above browsers
  • local Crypto wallets file
  • Some files that may contain passwords
  • Files contain important secret data
  • Outlook accounts
  • Discord Tokens
  • Telegram Tokens
  • Steam ssfn files and configuration data
  • qtox config files
  • Pidgin config files
  • Take screenshots of the victim’s machine

IOCs

sha256:- 

  • 1E09D04C793205661D88D6993CB3E0EF5E5A37A8660F504C1D36B0D8562E63A2  
  • 77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d  
  • 87f18bd70353e44aa74d3c2fda27a2ae5dd6e7d238c3d875f6240283bc909ba6  

C2:-

  • hxxp://fff-ttt[.]com/984dd96064cb23d7.php  
  • hxxp://moneylandry[.]com/2ccaf544c0cf7de7  
  • hxxp://162.0.238[.]10/752e382b4dcf5e3f.php  
  • hxxp://185.5.248[.]95/api.php  
  • hxxp://aa-cj[.]com/6842f013779f3d08.php  
  • hxxp://moneylandry[.]com/bef7fb05c9ef6540.php  
  • hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php  
  • hxxp://185.247.184[.]7/8c3498a763cc5e26.php  
  • hxxps://185.247.184[.]7/8c3498a763cc5e26.php  
  • hxxp://23.88.116[.]117/api.php  
  • hxxp://95.216.112[.]83/413a030d85acf448.php  
  • hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php  
  • hxxp://185.5.248[.]95/c1377b94d43eacea.php

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.



Source link