StealC v2 Malware Enhances Stealth and Expands Data Theft Features

MITRE Techniques

• [T1056] Input Capture – StealC steals credentials from browsers, email clients, VPNs, and cryptocurrency wallets by extracting stored data and session information (“extract credentials and session data from web browsers and plugins”).
• [T1071] Standard Application Layer Protocol – Communicates with the C2 server using HTTP and Base64-encoded JSON (“StealC v2 communicates with its command-and-control (C2) server over HTTP, using Base64-encoded JSON messages”).
• [T1106] Execution through API – Uses ShellExecuteEx to run payload executables and self-deletion commands (“executed using ShellExecuteEx and ensures the binary is removed after execution”).
• [T1059.001] PowerShell – Executes PowerShell scripts in memory fetched from attacker-controlled URLs (“constructs and executes a command that fetches and runs a remote PowerShell script directly in memory”).
• [T1560] Archive Collected Data – Divides large files into 512 KB chunks for exfiltration (“StealC can divide files into 512 KB chunks and send them as multipart uploads”).
• [T1083] File and Directory Discovery – Recursively scans user directories based on CSIDL codes to locate target files (“search specific user directories using CSIDL codes… to find files”).
• [T1140] Deobfuscate/Decode Files or Information – Uses RC4 encryption to obfuscate strings in the binary (“strings in the malware are encrypted using RC4 with a hardcoded key”).
• [T1480] Execution Guardrails – Implements language and regional checks to avoid infecting CIS countries (“StealC’s code includes a language check to exclude computers set to languages of the CIS”).
• [T1027] Obfuscated Files or Information – Employs Themida packer and string encryption for stealth (“packed StealC v2 samples observed are often protected with Themida packer”).
• [T1074] Data Staged – Aggregates stolen data in staged chunks before exfiltration (“sends files in chunks with metadata for reassembly on server”).