Full Report
The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements. [...]
Analysis Summary
# Tool/Technique: StealC (Version 2 and later)
## Overview
StealC is an evolving information stealer malware, enhanced in its later versions (V2 and beyond) with significant stealth upgrades and expanded data theft capabilities. It is designed to compromise systems and exfiltrate sensitive information, including credentials and browser data.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Primarily Windows (implied by execution methods like EXE, MSI, PowerShell, 64-bit compilation)
- Capabilities: Data theft, browser cookie hijacking (including bypassing Chrome's App-Bound Encryption defenses), real-time alerting via Telegram, desktop screenshotting, dynamic API resolution, self-deletion.
- First Seen: Version 2 announced March 2025 (based on the context date)
## MITRE ATT&CK Mapping
*(Note: Specific mappings for all new features are not explicitly detailed in the context, but core infostealer functions map to the tactics below)*
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If delivered via email)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (RC4 encryption usage)
- T1055 - Process Injection (Implied if aiming for persistence/stealth)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (PowerShell execution support)
## Functionality
### Core Capabilities
- **Data Theft:** Targeting sensitive data stored on the victim machine, specializing in browser data, including cookies previously protected by Chrome's 'App-Bound Encryption'.
- **Payload Delivery:** Flexible delivery mechanisms supporting EXE files, MSI packages, and PowerShell scripts.
- **Execution Improvements:** New payloads compiled specifically for 64-bit systems.
### Advanced Features
- **Stealth & Evasion:** Utilizes RC4 encryption for code strings and Command-and-Control (C2) communications. C2 responses incorporate random parameters to evade detection.
- **Dynamic Execution:** Resolves API functions dynamically at runtime, making static analysis harder.
- **Operator Communication:** Integrated Telegram bot support for delivering real-time alerts to operators.
- **Persistence/Cleanup:** Includes a self-deletion routine.
- **Information Gathering:** Capability to capture screenshots of the victim's desktop, supporting multiple monitors.
- **Build Generation:** Embedded builder allows operators to create custom StealC builds using templates and specific data theft rules.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: C2 communications use RC4 encryption with random parameters for evasion (**Defanged examples only, as specific IPs/domains are not listed**): `hxxp://c2server[.]example`, `hxxps://incoming[.]data`
- Behavioral Indicators: Execution via MSI/EXE/PowerShell, dynamic API calls resolved at runtime, communications utilizing RC4, presence of self-deletion routine, attempts to access browser data/cookies, establishment of Telegram communication channel.
## Associated Threat Actors
- Known to be deployed by the **Amadey** malware loader in recent observed attacks, though other operators may use different delivery methods.
## Detection Methods
- Signature-based detection: Signatures targeting known binary signatures or specific hardcoded RC4 keys/patterns (if identified).
- Behavioral detection: Monitoring for dynamic resolution of Windows API functions, unusual execution flows involving PowerShell or MSI installers, and attempts to read protected browser profile directories or cookie stores.
- YARA rules: Potential rules targeting unique string sequences or structures resulting from RC4 encryption or the custom builder process.
## Mitigation Strategies
- **Avoid Pirated/Obscure Software:** Never download software from untrusted or obscure sources, as this is a likely delivery vector (Amadey loader deployment observed).
- **MFA Implementation:** Use Multi-Factor Authentication (MFA) on all sensitive accounts (especially Google accounts) to mitigate cookie theft impact.
- **Data Storage Hygiene:** Avoid storing sensitive information directly within the browser for convenience (e.g., persistent logins if not secured by MFA).
- **Endpoint Security:** Deploy modern Endpoint Detection and Response (EDR) solutions capable of detecting dynamic API hooking and unusual process execution sequences.
## Related Tools/Techniques
- **Amadey:** Known loader used to deploy StealC in recent campaigns.
- Other information stealers that target browser data (e.g., RedLine, Vidar).