StealC operator panel | Source: TRU
The eSentire Threat Response Unit (TRU) has uncovered a new malware campaign leveraging a tool called MintsLoader to deliver second-stage payloads, including the StealC malware and the Berkeley Open Infrastructure for Network Computing (BOINC) client. This campaign specifically targets critical sectors in the United States and Europe, including Electricity, Oil & Gas, and Law Firms & Legal Services industries.
MintsLoader, a PowerShell-based malware loader, is distributed through spam emails containing malicious links leading to pages like Kongtuke/ClickFix or through a JScript file. The infection chain starts when a victim downloads a file matching the pattern “Fattura[0-9]{8}.js”, which triggers a series of PowerShell commands to retrieve and execute the malicious payload.
One key aspect of MintsLoader is its Domain Generation Algorithm (DGA), which uses the current day of the month combined with a constant to generate domains dynamically. This capability, along with anti-virtual machine (anti-VM) checks, makes it challenging for researchers to track and analyze the malware.
The campaign’s payload, StealC, is an information stealer actively sold as Malware-as-a-Service (MaaS) since January 2023. According to eSentire TRU, StealC was “re-engineered from the information stealer Arkei first seen in 2018” and is adept at harvesting sensitive data, including:
- Web browser credentials
- Crypto-wallet information
- Email client tokens
- Financial data
StealC incorporates multiple anti-analysis measures, such as checks for specific usernames, system configurations, and regional settings to avoid detection. For example, it terminates itself if the system’s language matches Russia or other Commonwealth of Independent States (CIS) nations.
Another aspect of this campaign is the inclusion of the BOINC client. Originally designed for volunteer-based scientific computing, BOINC is likely used as a cover to disguise malicious activity as legitimate traffic.
The report includes a detailed list of IOCs, such as DGA-generated domains, malicious PowerShell scripts, and the SHA-256 hash of the StealC payload, which can assist organizations in identifying potential compromises. Organizations can access these IOCs on GitHub for proactive threat hunting.
Related Posts:
- Stealc Malware: The Infostealer Targeting Credentials, Crypto Wallets, and More
- StealC Infostealer Spreads in New Disguise, Targets User Data
- Kiosk Mode Attack: New Cyber Threat Steals Browser Credentials
- North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
- Ransomware Cyber Attacks Spike to Over 1.2 mn per Month
