On Monday researchers from SEKOIA.IO reported the rise of a new information stealer. Called “Stealc,” the malware was first advertised as a competitor to Vidar and Raccoon stealers in January of this year. Since then, over 40 samples of Stealc have been discovered in the wild, as well as 35 Command and Control (C2) servers. The malware is designed to steal data from browsers, browser extensions, desktop crypto wallets, email and messaging clients, and boasts customizability. In addition to capability of tailoring data collection to a specific target, Stealc also has a file grabber that can be customized to target specific files, as well as a loader, enabling the attacker to load malware onto the victim. To facilitate the stealing activities, it has a fully featured administration panel.
Binary Defense has regularly covered info stealer malware. While the user experience for Stealc seems to be particularly well developed and therefore lends itself to rapid adoption as a Malware as a Service offering (MaaS), the techniques and behaviors this malware uses are not novel. Keeping Detection and Response systems (EDR/MDR/XDR/etc.) up-to-date will go a long ways discovering campaigns like this. Additionally, netflow analysis and DNS monitoring can help detect C2 and exfiltration activity. This requires analysts to have an understanding of baseline user behavior for comparison, but could be especially effective for Stealc since it sends data as it’s identified for exfiltration instead of as bulk uploads that are more easily detected by turnkey Data Loss Prevention (DLP) solutions. Lastly, companies should avoid storing secrets, such as credentials, in the browser, and instead leverage password managers to prevent credential theft and potential domain takeover.