Researchers Uncover New Information Stealer 'Stealc'

Written by

A new information stealer advertised as "Stealc" has been discovered by Sekoia researchers.

Writing in an advisory published by the company on Monday, the firm's Threat & Detection Research Team said the malware's alleged developer "Plymouth" advertised it on dark web forums in January.

"The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars and Redline stealers," reads the technical write-up. "This information suggests that this newcomer could be a serious competitor to the popular, widespread malware families mentioned above."

The Sekoia team then observed the new malware family in the wild in early February, including dozens of Stealc samples and more than 40 Stealc command and control (C2) servers.

"Compared to other stealers [we] analyzed, the data collection configuration can be customized to tailor the malware to the customer needs," Sekoia wrote. "Stealc also implements a customizable file grabber [alongside] loader capabilities that would be usually expected for an information stealer sold as a Malware-as-a-Service (MaaS)."

Thanks to these capabilities, Sekoia said they believe Stealc variants will leak into the underground communities fairly soon.

"[We] assess the Plymouth business possibly will not be viable over several years, as Vidar or Raccoon projects are," reads the advisory. "However, it is likely that a cracked version of the Stealc build may be released in the future, which may be used for many years to come."

This, the researchers wrote, is due to the fact that several threat actors may add the malware to their toolkit while it is poorly monitored. Sekoia added that, at the time of writing, Stealc is particularly popular among Russian-speaking cyber-criminals.

A list of targeted web browsers, browser extensions and desktop cryptocurrency wallets, alongside details about Stealc's infection chain, are available in the Sekoia advisory.

"Companies facing stealer compromise need to be aware of this malware," the company concluded.

Sekoia's latest research comes weeks after Vidar returned to Check Point's top 10 Most Wanted Malware list.

What’s hot on Infosecurity Magazine?