Security researchers have detailed how they discovered and exploited a cross‑site scripting (XSS) vulnerability in a popular infostealer, allowing them to gather crucial evidence about its back-end operations.
Ari Novick, a malware researcher at identity security specialist CyberArk, explained in a blog post that the XSS bug was found in the web panel of the StealC variant.
“Given the core business of the StealC group involves cookie theft, you might expect the StealC developers to be cookie experts and to implement basic cookie security features, such httpOnly, to prevent researchers from stealing cookies via XSS,” he explained.
“The irony is that an operation built around large-scale cookie theft failed to protect its own session cookies from a textbook attack.”
Read more on infostealers: MFA Failure Enables Infostealer Breach At 50 Enterprises
The report focused on one StealC user, dubbed “YouTubeTA,” who managed to steal 390,000 passwords and over 30 million cookies via the malware.
The XSS exploitation enabled Novick to identify certain characteristics on the threat actor’s computers, including its geolocation, and retrieve active session cookies.
Novick claimed most of the victims were on YouTube looking for cracked versions of Adobe Photoshop and Adobe After Effects, when they unwittingly installed StealC.
“YouTubeTA was likely using StealC to take over old YouTube accounts, which they then used to promote new samples of StealC,” he explained.
By studying hardware fingerprinting, supported languages, time zones and IP addresses connected to the threat actor’s use of StealC, Novick was able to deduce several things about them.
Notably, they are using an Apple Pro device with an M3 processor supporting both English and Russian language settings, are based in the Eastern European time zone and access the internet via Ukrainian ISP TRK Cable TV.
Pros and Cons of Infostealers
Malware-as-a-service (MaaS) operations like StealC offer powerful out-of-the-box capabilities for threat actors like YouTubeTA, who was able to compromise a large group of victims in just a few months, said CyberArk.
“This is a clear demonstration of why many threat actors employ the MaaS model,” Novick continued. “By delegating much of the work to other groups, they can specialize and have a more significant impact, much like in traditional industries.”
However, by relying on such tools, threat actors also expose themselves to the same software supply chain risks as legitimate businesses.
“The StealC developers exhibited weaknesses in both their cookie security and panel code quality, allowing us to gather a great deal of data about their customers,” Novick concluded.
“If this holds for other threat actors selling malware, researchers and law enforcement alike can leverage similar flaws to gain insights into, and perhaps even reveal the identities of, many malware operators.”