ReversingLabs analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.
In this series, we break down some of the threats behind our YARA detection rules that can help your organization detect threats within your environment.
StealC: A Tool for Russian-Speaking Cybercriminals
It can be hard to think of cybercrime as being “professional.” However, many cybercrime operations today follow the well-known software-as-a-service (SaaS) model that has made companies like Google, Zoom and Salesforce.com into household names. StealC, an information stealer (infostealer) malware, is a perfect example of malware-as-a-service (MaaS). Created by a developer using the handle “Plymouth,” the StealC infostealer is sold to interested cybercriminals on Russian-speaking cybercrime forums.
In this post, we examine how the StealC malware was created, as well as how cybercriminals have been using it to gather information from targeted systems. We also dive into the MaaS model, and the professional style that developer Plymouth used to gain approval and interest in his infostealer from the cybercrime market.
How StealC works
StealC was discovered by researchers at Sekoia.io in January 2023, and the company broke the news of this increasingly popular MaaS product a month later. Sekoia discovered the malware during a routine dark web monitoring session. Soon after, their researchers found samples of the malware in the wild that they were able to connect to the previously undiscovered StealC malware family. When these researchers dug deeper, they were able to see how widespread and popular the infostealer became in a short amount of time, with several dozen samples found in-the-wild, as well as 40 StealC command and control (C2) servers supporting them.
Developer Plymouth shared the StealC infostealer to two Russian-speaking underground forums: XSS and BHF back in early January, not long before Sekoia’s researchers found samples of it in-the-wild. Plymouth provided a description of the malware he created, its capabilities, the infostealer’s administration panel, and its technical characteristics. This allowed cybercriminals on these forums to scope out this new cybercrime tool and assess its features, such as StealC’s ability to target sensitive data from web browsers; browser extensions for cryptocurrency wallets; and information from other applications like email client and messenger software. Plymouth also advertised that StealC implements a customizable file grabber, allowing the cybercriminals who buy it to steal files from targets that match their grabber rules.
In order to determine if the new malware samples they were seeing in-the-wild were the same as StealC, Sekoia’s researchers did a comparison of the features that Plymouth advertised on the dark web with the features researchers found in the new malware samples. Their findings showed that the features advertised by Plymouth were highly similar to the features they were seeing in this new malware family, giving them high confidence that the malware family they discovered was the same as StealC.
StealC’s impact
Considering that Sekoia’s researchers were able to find dozens of malware samples that are highly similar to StealC, it’s evident that this infostealer has become a popular tool in the cybercrime market. The infostealer’s popularity can be attributed to the work that developer Plymouth put into creating it, and then marketing and selling it to the cybercrime market.
Features of the infostealer that made it stand out from other tools in the market are that its data collection and configuration feature can be customized to tailor to the customer’s needs. Plymouth also advertised a fully featured and well designed administration panel, so that the criminals buying it can better manage the tool.
Developer Plymouth promoted the tool by offering free malware tests to developers on cybercrime forums, then collecting reviews and feedback that helped build trust among potential customers who frequented cybercrime forums. Some cybercrime forums require this accreditation of a new tool being sold, whether it’s the completion of a deposit or gaining relevant feedback from a prominent user in the forum.
Needless to say: Developer Plymouth’s efforts to promote StealC closely resemble the steps that legitimate SaaS providers take to promote their products to consumers and businesses. The disciplined and professional manner in which StealC was advertised and distributed on these forums almost certainly contributed to its wide use by cybercriminals.
Cybercriminals use StealC for financially motivated reasons, including targeting cryptocurrency and financial services firms. Features in the malware also make StealC suitable for use in cyber espionage. The Russian-speaking forums on which StealC is distributed are frequented by cybercriminals, meaning that the malware could be used to further attacks by Russian cybercriminals against organizations and even government entities that are based in the countries of Russia’s nation-state adversaries.
Detecting StealC
Since StealC is currently popular in the cybercrime market, it is essential that organizations prepare their defenses to block this malware and its associated infrastructure from being used on- or accessed from their environments. ReversingLabs’ StealC YARA rule is designed to detect this infostealer within your environment with high fidelity and almost no false-positives.
Download the StealC YARA Rule here:
To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page. To learn more about how our threat analysts write these YARA rules, check out this blog post from ReversingLabs threat analyst Laura Dabelić.
About ReversingLabs
ReversingLabs analysts constantly survey the threat landscape in an effort to better serve customers — and the greater security community. Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware, or to schedule a demonstration.
- Tags:
- Yara Rules