8 minute read

We continue to publish our analysis report of Stealc, an information stealer promoted by its supposed developer Plymouth on Russian-language underground forums and sold as malware as a service since January 9, 2023.

stealc

In this part we are analyse exfiltration system information and downloader logic of stealer.

Download Browsers Configurations:

inside sub_0x403D5F() → renamed to mw_Download_1(), Stealc again will ask C2 to feed it with some configuration to be used in stealth behavior, it will do the same steps done before in the first connection but this time will ask for a different data, and if we look at the TCP stream.

but before that, if you remember the last decoded data in the first stream was like this

“aa36b6d1c34621ab9876080e89e62c526f27572fa74ad766587fc1e832822fbc85b96f8f”

This stream of hexa values will be used in all communication tunnels and acts like a reference for the victim ID obtained before, so C2 receives the Victim ID which was the calculated “C” drive serial number, and then does some equation on this calculated serial and then send the new ID in the first packet received by the victim which will be used repeatedly in all the connection.

stealc

If we manually decode the above stream will result in another configuration data related to the browser’s paths where Application User Data is saved

Google Chrome|\Google\Chrome\User Data |chrome|  
Google Chrome Canary|\Google\Chrome SxS\User Data|chrome|  
Chromium|\Chromium\User Data|chrome|  
Amigo|\Amigo\User Data|chrome|  
Torch|\Torch\User Data|chrome|  
Vivaldi|\Vivaldi\User Data|chrome|  
Comodo Dragon|\Comodo\Dragon\User Data|chrome|  
EpicPrivacyBrowser|\Epic Privacy Browser\User Data|chrome|  
CocCoc|\CocCoc\Browser\User Data|chrome|  
Brave|\BraveSoftware\Brave-Browser\User Data|chrome|  
Cent Browser|\CentBrowser\User Data|chrome|  
7Star|\7Star\7Star\User Data|chrome|  
Chedot Browser|\Chedot\User Data|chrome|  
Microsoft Edge|\Microsoft\Edge\UserData|  
chrome|360 Browser|\360Browser\Browser\User Data|chrome|  
QQBrowser|\Tencent\QQBrowser\User Data|chrome|  
CryptoTab|\CryptoTab Browser\User Data|chrome|  
Opera Stable|\Opera Software|opera|  
Opera GX Stable|\Opera Software|opera|  
Mozilla Firefox|\Mozilla\Firefox\Profiles|firefox|  
Pale Moon|\Moonchild Productions\Pale Moon\Profiles|firefox|  
Opera Crypto Stable|\Opera Software|opera|  
Thunderbird|\Thunderbird\Profiles|firefox|

Just like you see this config will be used to steal the browser’s databases and it will try for all Chromium-based browsers that share the same structure of databases and also will explore Mozilla-based web engines and “Thunderbird” mail client which is based on Mozilla also, finally, Opera web engine is on its consideration, also if you observed that for every web-engine at the end of the path it appends |chrome| or |firefox| as I have said that every engine will be treated differently in exfiltration process, so it calls mw_parse_configuration after decoding the stream to enable Stealc to separate.

stealc

and here is how this configuration is parsed in a format that enables it to be used later.

00000000 00000000 00000000  
    |        |       |--> BrowserName length  
    |        |-->4 null bytes  
    |-->  pointer to BroswerName or path 

stealc

Download Browsers Extensions

then the agent will ask C2 to feed it with plugins that will be used and I observed that it appends a string in the communication request that specifies which content will be retrieved from C2.

stealc

so again if we take a look at how our request and response look in our sniffer, it will confirm our previous analysis that the agent will ask for a plugin as a configuration request type.

stealc

the response is also base64 stream, I will decode it as past to reveal its secrets and also give us an indication about what will be done next.

Extenstion Name 					| Extenstion ID |   flags or something   
  |                 					    |                 	  |  
  |                  					    |                 	  |  
  
MetaMask						|djclckkglechooblngghdinmeemkbgci|1|0|0|  
MetaMask						|ejbalbakoplchlghecdalmeeeajnimhm|1|0|0|  
MetaMask						|nkbihfbeogaeaoehlefnkodbefgpgknn|1|0|0|  
TronLink						|ibnejdfjmmkpcnlpebklmnkoeoihofec|1|0|0|  
Binance Wallet					|fhbohimaelbohpjbbldcngcnapndodjp|1|0|0|  
Yoroi							|ffnbelfdoeiohenkjibnmadjiehjhajb|1|0|0|  
Coinbase Wallet extension		|hnfanknocfeofbddgcijnmhnfnkdnaad|1|0|1|  
Guarda							|hpglfhgfnhbgpjdenjgmdgoeiappafln|1|0|0|  
Jaxx Liberty					|cjelfplplebdjjenllpjcblmjkfcffne|1|0|0|  
iWallet							|kncchdigobghenbbaddojjnnaogfppfj|1|0|0|  
MEW CX							|nlbmnnijcnlegkjjpcfjclmcfggfefdm|1|0|0|  
GuildWallet						|nanjmdknhkinifnkgdcggcfnhdaammmj|1|0|0|  
Ronin Wallet					|fnjhmkhhmkbjkkabndcnnogagogbneec|1|0|0|  
NeoLine							|cphhlgmgameodnhkjdmkpanlelnlohao|1|0|0|  
CLV Wallet						|nhnkbkgjikgcigadomkphalanndcapjk|1|0|0|  
Liquality Wallet				|kpfopkelmapcoipemfendmdcghnegimn|1|0|0|  
Terra Station Wallet			|aiifbnbfobpmeekipheeijimdpnlpgpp|1|0|0|  
Keplr							|dmkamcknogkgcdfhhbddcghachkejeap|1|0|0|  
Sollet							|fhmfendgdocmcbmfikdcogofphimnkno|1|0|0|  
Auro Wallet(Mina Protocol)		|cnmamaachppnkjgnildpdmkaakejnhae|1|0|0|  
Polymesh Wallet					|jojhfeoedkpkglbfimdfabpdfjaoolaf|1|0|0|  
ICONex							|flpiciilemghbmfalicajoolhkkenfel|1|0|0|  
Coin98 Wallet					|aeachknmefphepccionboohckonoeemg|1|0|0|  
EVER Wallet						|cgeeodpfagjceefieflmdfphplkenlfk|1|0|0|  
KardiaChain Wallet				|pdadjkfkgcafgbceimcpbkalnfnepbnk|1|0|0|  
Rabby							|acmacodkjbdgmoleebolmdjonilkdbch|1|0|0|  
Phantom							|bfnaelmomeimhlpmgjnjophhpkkoljpa|1|0|0|  
Brave Wallet					|odbfpeeihdkbihmopkbjmoonfanlbfcl|1|0|0|  
Oxygen							|fhilaheimglignddkjgofkcbgekhenbh|1|0|0|  
Pali Wallet						|mgffkfbidihjpoaomajlbgchddlicgpn|1|0|0|  
BOLT X							|aodkkagnadcbobfpggfnjeongemjbjca|1|0|0|  
XDEFI Wallet					|hmeobnfnfcmdkdcmlblgagmfpfboieaf|1|0|0|  
Nami							|lpfcbjknijpeeillifnkikgncikgfhdo|1|0|0  
|Maiar DeFi Wallet				|dngmlblcodfobpdpecaadgfbcggfjfnm|1|0|0|  
Keeper Wallet					|lpilbniiabackdjcionkobglmddfbcjo|1|0|0|  
Solflare Wallet					|bhhhlbepdkbapadjdnnojkbgioiodbic|1|0|0|  
Cyano Wallet					|dkdedlpgdmmkkfjabffeganieamfklkm|1|0|0|  
KHC								|hcflpincpppdclinealmandijcmnkbgn|1|0|0|  
TezBox							|mnfifefkajgofkcjkemidiaecocnkjeh|1|0|0|  
Temple							|ookjlbkiijinhpmnjffcofjonbfbgaoc|1|0|0|  
Goby							|jnkelfanjkeadonecabehalmbgpfodjm|1|0|0|  
Ronin Wallet					|kjmoohlgokccodicjjfebfomlbljgfhk|1|0|0|  
Byone							|nlgbhdfgdhgbiamfdfmbikcdghidoadd|1|0|0|  
OneKey							|jnmbobjmhlngoefaiojfljckilhhlhcj|1|0|0|  
DAppPlay						|lodccjjbdhfakaekdiahmedfbieldgik|1|0|0|  
SteemKeychain					|jhgnbkkipaallpehbohjmkbjofjdmeid|1|0|0|  
Braavos Wallet					|jnlgamecbpmbajjfhmmmlhejkemejdma|1|0|0|  
Enkrypt							|kkpllkodjeloidieedojogacfhpaihoh|1|1|1|  
OKX Wallet						|mcohilncbfahbmgdjkbpemcciiolgcge|1|0|0|  
Sender Wallet					|epapihdplajcdnnkdeiahlgigofloibg|1|0|0|  
Hashpack						|gjagmgiddbbciopjhllkdnddhcglnemk|1|0|0|  
Eternl							|kmhcihpebfmpgmihbkipmjlmmioameka|1|0|0|  
Pontem Aptos Wallet				|phkbamefinggmakgklpkljjmgibohnba|1|0|0|  
Petra Aptos Wallet				|ejjladinnckdgjemekebdpeokbikhfci|1|0|0|  
Martian Aptos Wallet			|efbglgofoippbgcjepnhiblaibcnclgk|1|0|0|  
Finnie							|cjmkndjhnagcfbpiemnkdpomccnjblmj|1|0|0|  
Leap Terra Wallet				|aijcbedoijmgnlmjeegjaglmepbmpkpi|1|0|0|  
Trezor Password Manager			|imloifkgjagghnncjkhggdhalmcnfklk|1|0|0|  
Authenticator					|bhghoamapcdpbohphigoooaddinpkbai|1|0|0|  
Authy							|gaedmjdfmmahhbjefcbgaolhhanlaolb|1|0|0|  
EOS Authenticator				|oeljdldpnmdbchonielidgobddffflal|1|0|0|  
GAuth Authenticator 			|ilgcnhelpchnceeipipijaljkblbcobl|1|0|0|  
Bitwarden					 	|nngceckbapebfimnlniiiahkandclblb|1|0|0|  
KeePassXC						|oboonakemofpalcgghocfoadofidjkkk|1|0|0|  
Dashlane						|fdjamakpfbbddfjaooikfcpapjohcfmg|1|0|0|  
NordPass						|fooolghllnmhmmndgjiamiiodkpenpbb|1|0|0|  
Keeper							|bfogiafebfohielmmehodmfbbebbbpei|1|0|0|  
RoboForm						|pnlccmojcmeohlpggmfnbbiapkmbliob|1|0|0|  
LastPass						|hdokiejnpimakedhajhdlcegeplioahd|1|0|0|  
BrowserPass						|naepdomgkenhinolocfifgehidddafch|1|0|0|  
MYKI							|bmikpgodpkclnkgmnpphehdgcimmided|1|0|0|  
Splikity  						|jhfjfclepacoldmjmkmdlmganfaalklb|1|0|0|  
CommonKey 						|chgfefjpcobfbnpmiokfjjaglahmnded|1|0|0|  
Zoho Vault    					|igkpcodhieompeloncfnbekccinhapdb|1|0|0|  
Opera Wallet  					|gojhcdgcpbpfigcaejpfhfegekdgiblk|0|0|1|

it’s a collection of browser extensions that Stealc will search for in the browser’s DB using the ID provided which adds more stealthy capabilities, the same operation of storing configuration is done with these plugins as browsers did.

Exfiltrate System Information

after that Stealc starts gathering system and hardware information like,

ip address  
country   
processor name  
operating system  
arch 32 or 64  
pc or laptob  
UserName  
computerName  
Screenshot  
installed apps  
running process  
etc.....

and after allocating this data it saves it in a format that is understandable by C2.

stealc

stealc

stealc

stealc

stealc

then the Collected Data is base64 encoded before transferring to C2

stealc

and here is the stream of the fully allocated data

System Summary:  
 - HWID: 8658E8B4266B114684123  
 - OS: Windows 10 Enterprise  
 - Architecture: x64  
 - UserName:   
 - Computer Name: DESKTOP-2C3IQHO  
 - Local Time: 2023/9/14 18:47:27  
 - UTC: -5  
 - Language: en-US  
 - Keyboards: English (United States)  
 - Laptop: FALSE  
 - CPU: Intel(R) Core(TM) i7-4600M CPU @ 2.90GHz  
 - Cores: 1  
 - Threads: 1  
 - RAM: 4095 MB  
 - Display Resolution: 1536x864  
 - GPU:  
  -VMware SVGA 3D  
  -VMware SVGA 3D  
User Agents:  
Installed Apps:  
All Users:  
 HxD Hex Editor version 1.7.7.0 - 1.7.7.0  
 Npcap - 1.55  
 VB Decompiler Lite  
 WinSCP 5.13 - 5.13  
 Wireshark 3.6.0 64-bit - 3.6.0  
 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 - 10.0.30319  
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 - 9.0.30729.4148  
 Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326 - 14.32.31326.0  
Current User:  
 Progress Telerik Fiddler - 5.0.20173.50948  
 Microsoft OneDrive - 18.025.0204.0009  
 Opera Stable 91.0.4516.77 - 91.0.4516.77  
 Python 3.9.9 (64-bit) - 3.9.9150.0  
  
Process List:  
 System  
 smss.exe  
 csrss.exe  
 wininit.exe  
 csrss.ex  
 SearchIndexer.exe  
 SearchUI.exe  
 RuntimeBroker.exe  
 RuntimeBroker.exe  
 svchost.exe  
 SettingSyncHost.exe  
 svchost.exe  
 svchost.exe  
 vmtoolsd.exe  
 msdsrv.exe  
 svchost.exe  
 svchost.exe  
 svchost.exe  
 ApplicationFrameHost.exe  
 svchost.exe  
 svchost.exe 

Downloader

after exfiltrating system info, Stealc will download Sqlite3 Dll which will be used to execute some queries to retrieve data from Ghrome Application data, so I will not skip this and try to explain it in detail.

first, it asks for Sqlite3.dll

stealc

stealc

after downloading the file it starts checking if the file is correct by checking some magic byte related to the dos header and PE header, and after that, it will not copy the whole file just from the start of section headers till the end of the file.

stealc

Stealc does all of that just to get addresses of some APIs that will assist in retrieving data from Chrome databases which Chrome itself uses

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_text

sqlite3_finalize

sqlite3_close

sqlite3_column_bytes

sqlite3_column_blob

stealc

after that, it will start to check the browser structure built before and check the web engine then it will start to iterate over all browsers and if it hits any browser that exists on the victim machine it will then get a handle to db files which I will explain next…….

first, it will resolve

%USER%AppData\Local\Google\Chrome\User Data\LocalState

that exists in Chrome folders, but why this file exactly because it is used to store some more technical information about Chrome

The user’s preferred language

The user’s theme and font settings

The user’s startup settings (e.g., whether to open Chrome maximized)

The user’s privacy settings (e.g., whether to enable cookies)

The user’s extensions and their settings

The user’s bookmarks and history

after getting a handle on the file it will read file data and save a pointer to it into the first passed argument.

stealc

after that, it will search for the “encrypted_key “ string on the buffer, then it will try to retrieve the key from the file buffer because the key is saved in a format that I will show in the next figure.

stealc

until that, it will iterate over the buffer until it hits the end of the key which is marked by the } symbol

stealc

after retrieving the key it will base64 decode it, at the first 5 bytes of the decoded stream the word “DPAPI” indicates a DPAPI decrypted stream, after that, it will use the decoded key to decrypt the AES key using CryptUnprotectData, and the result is an AES key which will be used to decrypt cookies and credentials that because chrome(v80+) is encrypting data using AES and the AES key is encrypted with DPAPI,

then it will AES decrypted key to generate a symmetric key which will be used for the decryption operation, this is done in 3 steps

1- call BCryptOpenAlgorithmProvider to handle a cryptographic algorithm provider which in this case is AES.

2-call BCryptSetProperty to set the mode to ChainingModeGCM, It specifies that the Galois/Counter Mode (GCM) chaining mode should be used. GCM is a mode of operation for block ciphers that provides both encryption and authentication (with the help of Bard chat)

3- call BCryptGenerateSymmetricKey, used to generate a symmetric key for cryptographic operations and save a handle for it in Phkey var.

after that, it will retrieve the browser path that was received from C2, and in our case the first folder path is

%USER%AppData\Local\Google\Chrome\User Data

so it will iterate over all folders on this path looking for some Browser DB files, these files are

AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

AppData\Local\Google\Chrome\User Data\Default\Login Data

AppData\Local\Google\Chrome\User Data\Default\Web Data

AppData\Local\Google\Chrome\User Data\Default\History

which enables it to steal history and web sessions also autofill data will be exfiltrated.

We hope this post spreads awareness to the blue teamers of this interesting malware techniques, and adds a weapon to the red teamers arsenal.

Big thanks to @farghlymal for this detailed report.

By Cyber Threat Hunters from MSSPLab:

References

https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
https://farghlymal.github.io/Stealc-Stealer-Analysis/
https://twitter.com/farghlymal
Stealc config decryptor
Malware Analysis Stealc - part 1

Thanks for your time happy hacking and good bye!
All drawings and screenshots are from farghlymal blog