Stealc Malware: The Infostealer Targeting Credentials, Crypto Wallets, and More

by do son · November 5, 2024

In a recent analysis, the SonicWall Capture Labs threat research team revealed the insidious capabilities of Stealc, an infostealer malware designed to steal credentials, cryptocurrency, and other sensitive data. This malware specifically targets various software, browsers, and online services, providing attackers with extensive access to victims’ systems.

Stealc malware is tailored to collect sensitive information from a broad array of sources. SonicWall’s research shows that Stealc performs “a check on the locale using WMI, svchost, and multiple API calls,” after which it fully enumerates system details, including hardware, user accounts, and network configurations. This thorough reconnaissance enables it to capture a wide range of data points, making it a versatile tool for cybercriminals.

The malware is designed to extract credentials from popular browsers such as Internet Explorer, Chrome, and Firefox, as well as from cryptocurrency wallets like Monero. Beyond browsers and wallets, it also targets SaaS platforms and widely used applications, including Microsoft Outlook, OneDrive, FileZilla, and Telegram. In total, Stealc has its sights on everything from financial and business software to messaging applications and file-sharing platforms.

Stealc employs multiple layers of obfuscation to avoid detection. The SonicWall team noted that the malware “uses VirtualProtect to create guard pages during runtime,” which adds an extra layer of protection against debugging. Additionally, Stealc’s code is heavily obfuscated, with most strings encoded until runtime. The malware also checks for environmental cues, such as system locale and time, to avoid activating in sandboxed or analysis environments.

SonicWall’s researchers found that Stealc contacts a hardcoded IP address to exfiltrate collected data. During testing, a generated URL directed the malware to connect with http://62.204.41.177/edd20096ecef326d.php, and the malware’s command to initiate network connections through PowerShell was noted, though not triggered during the lab tests.

The analysis further revealed a unique communication method, where a POST request containing system identifiers, such as “hwid” and “build,” is sent. The server response, simply “YmxvY2s=” (decoded as “block”), hints at the malware’s use of command and control communication to manage infected systems.