Cybersecurity researchers today detailed recently discovered information-stealing malware that is rapidly growing in popularity on dark web marketplaces.

Dubbed “Stealc” by researchers at Sekoia ApS, the malware was first spotted being offered for sale in January on a forum by a user going by the name of “Plymouth.” Stealc was advertised as a fully featured and ready-to-use stealer, whose development relied on previous stealer malware such as Vidar, Raccoon, Mars and Redline.

In early February, the same researchers then discovered a new malware family while tracking information stealers. It was found to be directly related to Stealc, with dozens of Stealc samples distributed in the wild.

Stealc targets sensitive data from web browsers, extensions for cryptocurrency wallets, desktop cryptocurrency wallets and information from additional applications, including email clients and messenger software. The data collection configuration can be customized to tailor the malware to the customer’s needs.

The malware implements a customizable file grabber, allowing customers to steal files matching their grabber rules. The stealer was also found to have loader capabilities that are typical for an information stealer sold as malware-as-a-service.

Although Stealc is currently being sold on a MaaS basis, the researchers warn that because customers own a build of its administration panel to host the stealer command-and-control center, the build will likely leak to underground communities in the medium term. Eventually, a cracked version of a Stealc build may be released, which could be used for many years to come.

With the likelihood of further distribution and its growing popularity, the Sekoia researchers “expect that the Stealc infostealer will become widespread in the near term, as multiple threat actors add the malware to their arsenal while it is poorly monitored.” Companies facing targeted stealer attacks are warned to be aware of this malware.

“As advanced tools and attack-as-a-service offerings become easily accessible on the dark web, even relatively unsophisticated attackers are enabled to execute extremely sophisticated and lucrative attacks,” Dror Liwer, co-founder of Coro Cyber Security Ltd., told SiliconANGLE. “What this translates to is more attacks on a wider population, with the economics working even when the attacked is a mid-market or small business.”

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., said one interesting addition in this malware is its specific targeting of password managers.

“It specifically targets at least 13 browser extensions installed by password managers and other authenticators,” Grimes explained. “I’m not sure if StealC is the first malware program to do this much targeting of password managers — probably not — but it obviously tells us that hackers are increasingly targeting password manager users. This is a trend we all need to pay attention to.”

Image: Pixabay