StealC: a new advanced infostealer
Analysts at cybersecurity firm Sekoia have uncovered a new strain of malware called StealC, an advanced infostealer designed to steal sensitive data from victims.
The malware, which is currently being sold on Dark Web forums, is spread through phishing campaigns, and once it infects a device, it can steal a wide range of data, including passwords, browser data and email credentials. StealC uses various techniques to avoid detection, including the use of a dynamic command and control infrastructure and obfuscation techniques.
The malware, developed by a threat actor using the name Plymouth, has been seen in attacks on individuals and businesses, and experts believe it is the work of a sophisticated cybercrime group.
Indicator of compromise
| IP/URL/SHA |
|---|
| 185.143.223[.]136 |
| 94.131.99[.]185 |
| 65.109.131[.]183 |
| 45.87.153[.]50 |
| 179.43.162[.]94 |
| 194.87.31[.]146 |
| 94.142.138[.]11 |
| 23.88.116[.]117 |
| 95.217.143[.]99 |
| 185.242.87[.]149 |
| 194.4.51[.]160 |
| 5.75.138[.]201 |
| 185.130.46[.]214 |
| 167.235.62[.]105 |
| 185.247.184[.]7 |
| 179.43.162[.]89 |
| 91.228.225[.]46 |
| 179.43.162[.]2 |
| 77.246.156[.]93 |
| 84.246.85[.]80 |
| 185.5.248[.]95 |
| 146.70.161[.]51 |
| 85.239.54[.]29 |
| 91.215.85[.]188 |
| 77.91.124[.]7 |
| 37.120.238[.]190 |
| 37.220.87[.]65 |
| 45.136.49[.]247 |
| 45.136.50[.]69 |
| 45.136.51[.]61 |
| 45.144.29[.]176 |
| 65.109.3[.]34 |
| 94.142.138[.]48 |
| 95.216.112[.]83 |
| 195.74.86[.]37 |
| 162.0.238[.]10 |
| 666palm[.]com |
| 777palm[.]com |
| aa-cj[.]com |
| fff-ttt[.]com |
| moneylandry[.]com |
| hxxp://146.70.161[.]51/273d9c8034a95cb4.phphxxp://162.0.238[.]10/752e382b4dcf5e3f.php |
| hxxp://176.124.192[.]200/bef7fb05c9ef6540.php |
| hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php |
| hxxp://185.5.248[.]95/api.php |
| hxxp://666palm[.]com/bca98681abf8e1ab.php |
| hxxp://777palm[.]com/bef7fb05c9ef6540.php |
| hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php |
| hxxp://95.216.112[.]83/413a030d85acf448.php |
| hxxp://aa-cj[.]com/6842f013779f3d08.php |
| hxxp://fff-ttt[.]com/984dd96064cb23d7.php |
| hxxp://moneylandry[.]com/bef7fb05c9ef6540.php |
| hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php |
| hxxp://185.247.184[.]7/8c3498a763cc5e26.php |
| hxxps://185.247.184[.]7/8c3498a763cc5e26.php |
| hxxp://23.88.116[.]117/api.php |
| hxxp://95.216.112[.]83/413a030d85acf448.php |
| hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php |
| hxxp://185.5.248[.]95/c1377b94d43eacea.php |
| hxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll |
| hxxp://146.70.161[.]51/58d66e64beb49702/mozglue.dll |
| hxxp://146.70.161[.]51/58d66e64beb49702/msvcp140.dll |
| hxxp://146.70.161[.]51/58d66e64beb49702/nss3.dll |
| hxxp://146.70.161[.]51/58d66e64beb49702/softokn3.dll |
| hxxp://146.70.161[.]51/58d66e64beb49702/sqlite3.dll |
| hxxp://146.70.161[.]51/58d66e64beb49702/vcruntime140.dll |
| hxxp://162.0.238[.]10/dbe4ef521ee4cc21/freebl3.dll |
| hxxp://162.0.238[.]10/dbe4ef521ee4cc21/mozglue.dll |
| hxxp://162.0.238[.]10/dbe4ef521ee4cc21/msvcp140.dll |
| hxxp://162.0.238[.]10/dbe4ef521ee4cc21/nss3.dll |
| hxxp://162.0.238[.]10/dbe4ef521ee4cc21/softokn3.dll |
| hxxp://162.0.238[.]10/dbe4ef521ee4cc21/sqlite3.dll |
| hxxp://162.0.238[.]10/dbe4ef521ee4cc21/vcruntime140.dll |
| hxxp://179.43.162[.]2/3461133978273cb9/freebl3.dll |
| hxxp://179.43.162[.]2/3461133978273cb9/mozglue.dll |
| hxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll |
| hxxp://179.43.162[.]2/3461133978273cb9/nss3.dll |
| hxxp://179.43.162[.]2/3461133978273cb9/softokn3.dll |
| hxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll |
| hxxp://179.43.162[.]2/3461133978273cb9/vcruntime140.dll |
| hxxp://185.5.248[.]95/libs/freebl3.dll |
| hxxp://185.5.248[.]95/libs/mozglue.dll |
| hxxp://185.5.248[.]95/libs/msvcp140.dll |
| hxxp://185.5.248[.]95/libs/nss3.dll |
| hxxp://185.5.248[.]95/libs/softokn3.dll |
| hxxp://185.5.248[.]95/libs/sqlite3.dll |
| hxxp://185.5.248[.]95/libs/vcruntime140.dll |
| hxxp://666palm[.]com/54fbf4b9ffe8c98d/freebl3.dll |
| hxxp://666palm[.]com/54fbf4b9ffe8c98d/mozglue.dll |
| hxxp://666palm[.]com/54fbf4b9ffe8c98d/msvcp140.dll |
| hxxp://666palm[.]com/54fbf4b9ffe8c98d/nss3.dll |
| hxxp://666palm[.]com/54fbf4b9ffe8c98d/softokn3.dll |
| hxxp://666palm[.]com/54fbf4b9ffe8c98d/sqlite3.dll |
| hxxp://666palm[.]com/54fbf4b9ffe8c98d/vcruntime140.dll |
| hxxp://777palm[.]com/2ccaf544c0cf7de7/freebl3.dll |
| hxxp://777palm[.]com/2ccaf544c0cf7de7/mozglue.dll |
| hxxp://777palm[.]com/2ccaf544c0cf7de7/msvcp140.dll |
| hxxp://777palm[.]com/2ccaf544c0cf7de7/nss3.dll |
| hxxp://777palm[.]com/2ccaf544c0cf7de7/softokn3.dll |
Sekoia also published YARA and Suricata rules to detect the the information-stealer.