Threat Research

StealC Delivered via Deceptive Google Sheets

Securonix

Threat actors delivered StealC infostealer via a deceptive Google Sheets lure, loading a downloader after users encounter a fake warning and a malicious page. The campaign uses obfuscated JavaScript, anti-VM checks, and a Rust-compiled final payload that exfiltrates data and persists, with C2 and payload hosting infrastructure tied to TrueBot-era activity. #StealC #RustyPita #Kaseya #more_eggs #TrueBot #GoogleSheets

Keypoints

  • Infection originated from a deceptive Google Sheets ad that redirected to a downloader for StealC infostealer.
  • StealC is a C-based info-stealer first appearing on Russian forums in January 2023, drawing on other stealers like Raccoon, Vidar, Redline, and Mars.
  • A fake warning message prompts users to download a security update to proceed, serving as the lure for the payload.
  • Source code obfuscation and base64-encoded strings are used; the JavaScript decodes strings with atob and numeric manipulation.
  • The deobfuscated code serves a payload only for Chrome/Firefox user-agents, and the payload download occurs from update-vinc.in.net, then C2 with further delivery via sheetsdataaccess.com and a 1drv.com host.
  • Final StealC payload injects into the csc.exe process, uses RC4-encrypted strings, and drops DLLs under ProgramData after retrieval.
  • TRU Positive highlights anti-VM checks, startup persistence, and drive-by/downloader mechanics, with indicators including specific hashes and hosting URLs.

MITRE Techniques

  • [T1189] Drive-by Compromise – The user was exposed to a malicious ad while attempting to download Google Sheets, redirecting to a downloader for StealC. ‘a malicious ad that the user encountered while looking to download Google Sheets. This ad redirected the user to a malicious page serving a downloader for StealC infostealer malware.’
  • [T1204.002] User Execution: Malicious File – A fake warning message prompted the user to download a security update to be able to use the store. ‘The fake warning message prompts the user to download a security update to be able to use the store.’
  • [T1027] Obfuscated/Compressed Files and Information – Base64-encoded strings are obfuscated with random prefixes/suffixes; JavaScript decodes them via forEach and atob, then converts to characters. ‘Each base64-encoded string appears to include a random alphanumeric prefix and suffix, with a numerical value in between. The JavaScript code iterates through the array using the forEach method.’
  • [T1059.007] JavaScript – The attack uses JavaScript for decoding and processing the obfuscated strings. ‘The JavaScript code iterates through the array using the forEach method.’
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM checks are enabled, including WMI/registry checks to detect virtual environments. ‘AntiVM (enabled)… check_generic… check_usernames… check_gpu_vendor… check_processes’ and ‘AntiVM (using WMI query “SELECT * FROM MSAcpi_ThermalZoneTemperature”, querying the registry keys for HKEY_LOCAL_MACHINEHARDWAREACPIDSDTVBOX__ (VirtualBox)).’
  • [T1055] Process Injection – The downloaded payload is injected into the csc.exe process. ‘injects it into the csc.exe process.’
  • [T1105] Ingress Tool Transfer – The configuration retrieves the encrypted file from update-vinc.in[.]net, decrypts it, and injects it into the csc.exe process. ‘The configuration retrieves the encrypted file from update-vinc.in[.]net, decrypts it, and injects it into the csc.exe process.’
  • [T1547.001] Boot or Logon Autostart Execution: Startup – Persistence via Startup. ‘Startup’ persistence mechanism is employed. ‘persistence via Startup.’
  • [T1071.001] Web Protocols – The loader and C2 communications use web protocols to fetch payloads and exfiltrate data. ‘The payload hosting URL’ and ‘hxxp://89.208.105[.]162/a7f3bfe3b25537ef.php’ and ‘hxxps://sheetsdataaccess.com/download/index[.]php?uid=70319b8fcd169a8a0b353fc26b1f5dc4’

Indicators of Compromise

  • [Malware Name] RustyPita – 1183eb455a4035ff573f8a4551c24799
  • [Malware Name] StealC – d90150a866e48d1958da34fe2bf6ed61
  • [URL] StealC C2 – hxxp://89.208.105[.]162/a7f3bfe3b25537ef.php
  • [URL] Payload hosting URL – hxxps://sheetsdataaccess.com/download/index[.]php?uid=70319b8fcd169a8a0b353fc26b1f5dc4
  • [File] 7mudndvdcr.dll – f3532a174cdcd90330e44111bb8c4175
  • [IP] Server hosting the encrypted payload – 194.87.31[.]176
  • [IP] C2/associated infrastructure – 94.142.138[.]61 (TrueBot-related hosting)
  • [Domain] sheetsdataaccess.com – used as a payload hosting domain
  • [Domain] l6j4zw.dm.files[.]1drv.com – hosting the payload

Read more: https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets