Weekly Threat Intelligence Report
Date: July 15, 2024
Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS
StealC seems like an appropriate name for stealer malware written in C. It’s been available for less than two years as a Malware-as-a-Service product, and is a regular occurrence in HYAS malware detonations. StealC is an information stealer capable of exfiltrating a variety of confidential information, including passwords, emails, and cryptocurrency wallets.
One of the distinguishing features of StealC malware is its ability to hide its behavior by using a reduced implementation of custom code.
Let’s take a look at how StealC downloads and can use legitimate 3rd party dynamic-link library (.DLL) files as a modified form of ‘Living off the Land’ (LotL) attacks. Strictly speaking, LotL would use files that already exist on the device, however the files downloaded are used by standard applications under normal circumstances.
These DLLs can be used by attackers to perform various malicious activities while blending in with legitimate software operations. By using these libraries, they can carry out tasks such as database access, cryptographic operations, and running custom code without relying on additional, potentially suspicious software.
Example MD5: 50a3cecf553842b316a98bdb9959095a
C2 IOC: 139.99.67[.]238
ASN: AS16276
Country: Singapore
ISP: OVH SAS
(Image: Network communication created by StealC malware.)
StealC DLL Usage
<
div>
<
table>
Used to read SQLite databases, could perform actions such as extracting cookies
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: