HYAS Blog

Caught in the Act: StealC, the Cyber Thief in C

Written by David Brunsdon | July 15, 2024

Weekly Threat Intelligence Report

Date: July 15, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

StealC seems like an appropriate name for stealer malware written in C. It’s been available for less than two years as a Malware-as-a-Service product, and is a regular occurrence in HYAS malware detonations. StealC is an information stealer capable of exfiltrating a variety of confidential information, including passwords, emails, and cryptocurrency wallets.

One of the distinguishing features of StealC malware is its ability to hide its behavior by using a reduced implementation of custom code.

Let’s take a look at how StealC downloads and can use legitimate 3rd party dynamic-link library (.DLL) files as a modified form of ‘Living off the Land’ (LotL) attacks. Strictly speaking, LotL would use files that already exist on the device, however the files downloaded are used by standard applications under normal circumstances.

These DLLs can be used by attackers to perform various malicious activities while blending in with legitimate software operations. By using these libraries, they can carry out tasks such as database access, cryptographic operations, and running custom code without relying on additional, potentially suspicious software.

Example MD5: 50a3cecf553842b316a98bdb9959095a
C2 IOC: 139.99.67[.]238
ASN: AS16276
Country: Singapore
ISP:  OVH SAS


(Image: Network communication created by StealC malware.)

StealC DLL Usage

DLL File Description Potential LotL Use

sqlite3.dll

SQLite database library.

Used to read SQLite databases, could perform actions such as extracting cookies from Mozilla Firefox.

freebl3.dll

FreeBL cryptographic library from Mozilla.

Can be used to perform cryptographic operations, potentially aiding in encrypting/decrypting data without raising suspicion.

mozglue.dll

Mozilla glue library, used to support other Mozilla libraries.

Could assist in leveraging Mozilla-based applications or libraries for data manipulation or other activities.

msvcp140.dll

Microsoft C Runtime Library, part of Visual Studio.

Provides C++ standard library functions, which could be used to build and execute complex operations using C++ code.

nss3.dll

Network Security Services (NSS) library from Mozilla.

Enables various security protocols and cryptographic functions, which might be used for secure communication or data encryption.

softokn3.dll Softoken cryptographic module from Mozilla. Can be used for cryptographic functions such as hashing, encryption, and digital signatures, which might be used to secure malicious communications or payloads.
vcruntime140.dll Microsoft Visual C++ Runtime Library. Provides runtime support for applications developed with Visual C++, which could be used to execute custom C++ code.

In our above example, using HYAS Insight threat intelligence, we were able to provide some C2 attribution data to the above activity. We can see that the C2 IOC has been used by the operator who accessed the server on and around 2024/07/09, from an IP address in Vietnam.

Actor IP: 113.164.33.127
ISP: Vietnam Posts and Telecommunications Group
ASN: AS45899
Country: Vietnam
Most recent known C2 activity: 2024/07/09 16:41:17 UTC

Ongoing StealC campaigns

HYAS Insight provides access to malware detonation details and the HYAS Threat Intelligence Team is tracking a relatively high volume of StealC activity. The following IPs have been identified as StealC command and control infrastructure in the past seven days.

85.28.47.30
91.92.240.120
46.8.238.240
139.99.67.238
40.86.87.10
85.28.47.4
94.228.166.20

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Sign up for the free HYAS Insight Intel Feed


Read Previous Threat Intelligence Reports:

HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards

Tracking an Active Remcos Malware Campaign

Revealing LOTL Techniques Used by An Active Remcos Malware Campaign

Agent Tesla Unmasked: Revealing Interrelated Cyber Campaigns

Risepro Malware Campaign On the Rise


More from HYAS Labs

Using Generative AI to Understand How an Obfuscated Script Works

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

Examining Predatory Mercenary Malware

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.