Weekly Threat Intelligence Report
Date: July 15, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
StealC seems like an appropriate name for stealer malware written in C. It’s been available for less than two years as a Malware-as-a-Service product, and is a regular occurrence in HYAS malware detonations. StealC is an information stealer capable of exfiltrating a variety of confidential information, including passwords, emails, and cryptocurrency wallets.
One of the distinguishing features of StealC malware is its ability to hide its behavior by using a reduced implementation of custom code.
Let’s take a look at how StealC downloads and can use legitimate 3rd party dynamic-link library (.DLL) files as a modified form of ‘Living off the Land’ (LotL) attacks. Strictly speaking, LotL would use files that already exist on the device, however the files downloaded are used by standard applications under normal circumstances.
These DLLs can be used by attackers to perform various malicious activities while blending in with legitimate software operations. By using these libraries, they can carry out tasks such as database access, cryptographic operations, and running custom code without relying on additional, potentially suspicious software.
Example MD5: 50a3cecf553842b316a98bdb9959095a
C2 IOC: 139.99.67[.]238
ASN: AS16276
Country: Singapore
ISP: OVH SAS
(Image: Network communication created by StealC malware.)
StealC DLL Usage
| DLL File | Description | Potential LotL Use |
|
sqlite3.dll |
SQLite database library. |
Used to read SQLite databases, could perform actions such as extracting cookies from Mozilla Firefox. |
|
freebl3.dll |
FreeBL cryptographic library from Mozilla. |
Can be used to perform cryptographic operations, potentially aiding in encrypting/decrypting data without raising suspicion. |
|
mozglue.dll |
Mozilla glue library, used to support other Mozilla libraries. |
Could assist in leveraging Mozilla-based applications or libraries for data manipulation or other activities. |
|
msvcp140.dll |
Microsoft C Runtime Library, part of Visual Studio. |
Provides C++ standard library functions, which could be used to build and execute complex operations using C++ code. |
| nss3.dll |
Network Security Services (NSS) library from Mozilla. |
Enables various security protocols and cryptographic functions, which might be used for secure communication or data encryption. |
| softokn3.dll | Softoken cryptographic module from Mozilla. | Can be used for cryptographic functions such as hashing, encryption, and digital signatures, which might be used to secure malicious communications or payloads. |
| vcruntime140.dll | Microsoft Visual C++ Runtime Library. | Provides runtime support for applications developed with Visual C++, which could be used to execute custom C++ code. |
In our above example, using HYAS Insight threat intelligence, we were able to provide some C2 attribution data to the above activity. We can see that the C2 IOC has been used by the operator who accessed the server on and around 2024/07/09, from an IP address in Vietnam.
Actor IP: 113.164.33.127
ISP: Vietnam Posts and Telecommunications Group
ASN: AS45899
Country: Vietnam
Most recent known C2 activity: 2024/07/09 16:41:17 UTC
Ongoing StealC campaigns
HYAS Insight provides access to malware detonation details and the HYAS Threat Intelligence Team is tracking a relatively high volume of StealC activity. The following IPs have been identified as StealC command and control infrastructure in the past seven days.
85.28.47.30
91.92.240.120
46.8.238.240
139.99.67.238
40.86.87.10
85.28.47.4
94.228.166.20
Learn More About HYAS Insight
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read Previous Threat Intelligence Reports:
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
Tracking an Active Remcos Malware Campaign
Revealing LOTL Techniques Used by An Active Remcos Malware Campaign
Agent Tesla Unmasked: Revealing Interrelated Cyber Campaigns
Risepro Malware Campaign On the Rise
More from HYAS Labs
Using Generative AI to Understand How an Obfuscated Script Works
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.
Examining Predatory Mercenary Malware
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.