Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS
StealC seems like an appropriate name for stealer malware written in C. It’s been available for less than two years as a Malware-as-a-Service product, and is a regular occurrence in HYAS malware detonations. StealC is an information stealer capable of exfiltrating a variety of confidential information, including passwords, emails, and cryptocurrency wallets.
One of the distinguishing features of StealC malware is its ability to hide its behavior by using a reduced implementation of custom code.
Let’s take a look at how StealC downloads and can use legitimate 3rd party dynamic-link library (.DLL) files as a modified form of ‘Living off the Land’ (LotL) attacks. Strictly speaking, LotL would use files that already exist on the device, however the files downloaded are used by standard applications under normal circumstances.
These DLLs can be used by attackers to perform various malicious activities while blending in with legitimate software operations. By using these libraries, they can carry out tasks such as database access, cryptographic operations, and running custom code without relying on additional, potentially suspicious software.
Example MD5: 50a3cecf553842b316a98bdb9959095a C2 IOC: 139.99.67[.]238 ASN: AS16276 Country: Singapore ISP: OVH SAS
(Image: Network communication created by StealC malware.)
StealC DLL Usage
<
div>
<
table>
DLL File
Description
Potential LotL Use
sqlite3.dll
SQLite database library.
Used to read SQLite databases, could perform actions such as extracting cookies
[…] Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Security Boulevard
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
