Threat Research

Beware of information-stealing malicious code disguised as installation file

Ahnlab

StealC is being widely distributed as fake installers (downloaded from Discord, GitHub, Dropbox, etc.), using PNG files that contain embedded encoded payloads which are decoded, written to disk and executed to run an AutoIt process that hosts the info-stealer. The loader uses sandbox-evasion checks (file name checking), creates/uses SysWOW64 binaries (netsh.exe, more.com), and performs manual ntdll mapping plus the Heaven’s Gate technique to inject and run StealC. #StealC #Vidar

Keypoints

  • StealC is distributed at scale disguised as legitimate installers and delivered via platforms like Discord, GitHub, Dropbox, and Mega links.
  • Common sample filenames include setup_2024.008.20534_win64_86.exe and Setup_21.4_win64_86; changing the filename prevents malicious behavior (sandbox evasion).
  • The installer downloads a PNG from image-hosting sites; the PNG contains encoded malicious data which, when decoded, yields shellcode and binaries.
  • The decoded components create files in Temp, spawn SysWOW64 and AutoIt processes (netsh.exe, more.com; AutoIt scripts), and inject the StealC payload into AutoIt for execution.
  • Injection employs manual mapping of ntdll (reflective/manual mapping) and Heaven’s Gate (x64 execution from a WoW64 process) to bypass detection and analysis.
  • StealC steals system, browser, crypto wallet, Discord, Telegram, and mail client data and contacts C2 servers; similar techniques and infrastructure have been used previously by Vidar samples.
  • AhnLab recovered multiple MD5s, PNG download URLs, distribution Mega links, and a C2 IP (193.143.1.226) as IOCs tied to the campaign.

MITRE Techniques

  • [T1055] Process Injection – StealC is injected into an Auto-It process for execution (“‘the StealC malware is injected and executed in the Auto-It process.’”)
  • [T1574.001] DLL Search Order Hijacking – referenced as a prior distribution technique and bypass method in related samples (“‘infects when running normal EXE files (DLL Hijacking)’”)
  • [T1620] Reflective Code Loading (manual mapping) – the loader uses manual mapping of ntdll to call internal functions (“‘the ntdll manual mapping technique’”)
  • [T1218] Signed Binary Proxy Execution / Living-off-the-Land Binaries – the campaign creates and runs SysWOW64 binaries such as netsh.exe and more.com to assist execution and injection (“‘SysWOW64 sub-normal processes (netsh.exe, more.com) … are executed’”)
  • [T1497] Virtualization/Sandbox Evasion – the samples perform file-name checks to avoid analysis/sandbox environments (“‘If you change the file name, no malicious behavior will occur, and this is intended to bypass analysis environments such as sandboxes.’”)
  • [T1071.001] Application Layer Protocol: Web Protocols – PNG files and payloads are fetched from image-hosting and file-sharing services to retrieve encoded payloads and C2 information (“‘a PNG file is downloaded from an image hosting site.’”)

Indicators of Compromise

  • [MD5 hashes] StealC sample files – c935f54929475d06b6d11c746ac64156, d3bbe6f53dec9b65400f6477fb7ad697 (and other StealC/related hashes)
  • [URLs – distribution/PNG hosts] PNG payload hosts and distribution – hxxps://i.ibb[.]co/FxjS8cy/1492239061.png, hxxps://gcdnb.pbrd[.]co/images/ZZsYr33PtdW0.png?o=1 (and multiple other image-hosting URLs)
  • [Distribution links] File-sharing distribution sites – hxxps://mega[.]nz/file/AhEBmaBI#lyluDB_AcC4qphklfyKhGYHyJnwyRCfvX2UC-zi6YA8, hxxps://mega[.]nz/file/VWs2HKSQ#PnyLXgyDKNY1REGwFIG2D_K0Vmw8K0z_KM-aVGVEBWI
  • [C2 / IP] Command-and-control server – hxxp://193.143.1[.]226/129edec4272dc2c8.php (StealC C2)

When the fake installer runs, it downloads a PNG from image-hosting/file-sharing services; that PNG contains encoded malicious blobs embedded within image data. Decoding the embedded data reconstructs shellcode and binaries, which are written to the Temp directory and staged for execution.

The loader performs environment checks (file-name validation to evade sandboxes), then launches SysWOW64 binaries (netsh.exe, more.com) and creates normal AutoIt processes (e.g., WinAPIHObj.au3, DllCall.au3) in Temp. The shellcode executes a sequence of file creation, execution, and process-injection steps that place the StealC payload into an AutoIt process for runtime operation.

Injection and evasion use advanced techniques: manual mapping/reflective loading of ntdll to call internal APIs, and Heaven’s Gate to execute x64 instructions from a WoW64 process—both intended to bypass security products and analysis. Once active, StealC collects system, browser, crypto-wallet, Discord/Telegram, and mail-client data and communicates with C2 infrastructure (examples include hxxp://193.143.1[.]226/…).

Read more: https://asec.ahnlab.com/ko/62976/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint