Mentioned Malware Families: Stealc, NightshadeC2
Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2
Aliases provided by Malpedia.
Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.
Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2
Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for CASTLELOADER: win.castleloader
Malpedia link for CASTLELOADER: https://malpedia.caad.fkie.fraunhofer.de/details/win.castleloader
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2
#Stealc #CASTLELOADER #NightshadeC2
Aliases provided by Malpedia.
Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.
Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2
Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for CASTLELOADER: win.castleloader
Malpedia link for CASTLELOADER: https://malpedia.caad.fkie.fraunhofer.de/details/win.castleloader
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2
#Stealc #CASTLELOADER #NightshadeC2
Aliases provided by Malpedia.
Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.
Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2
Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for CASTLELOADER: win.castleloader
Malpedia link for CASTLELOADER: https://malpedia.caad.fkie.fraunhofer.de/details/win.castleloader
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2
#Stealc #CASTLELOADER #NightshadeC2
Aliases provided by Malpedia.
Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.
Mentioned Malware Families: Stealc, CASTLELOADER, NightshadeC2
Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for CASTLELOADER: win.castleloader
Malpedia link for CASTLELOADER: https://malpedia.caad.fkie.fraunhofer.de/details/win.castleloader
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2
#Stealc #CASTLELOADER #NightshadeC2
Aliases provided by Malpedia.
Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.
Mentioned Malware Families: Stealc, NightshadeC2
Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2
Aliases provided by Malpedia.
Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.
Mentioned Malware Families: Stealc, NightshadeC2
Aliases for Stealc: win.stealc
Malpedia link for Stealc: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Aliases for NightshadeC2: win.nightshade_c2, CastleRAT
Malpedia link for NightshadeC2: https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2
Aliases provided by Malpedia.
Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.
#blue_team #botnet #NightshadeC2
Действия NightshadeC2 выполняемые после запуска:
- определяет внешний IP, страну и VPN-статус через запрос к `ip-api.com` (для обхода sandbox и анализа);
- собирает информацию о системе (системные данные, характеристики);
применяет технику `UAC Prompt Bombing` — множественные запросы UAC для обхода контроля учетных записей пользователей;
- удаляет себя и исключает себя из работы `Windows Defender`.
NightshadeC2 обладает широким набором возможностей, среди которых: reverse shell и удаленное управление системой, запуск файлов, кейлоггинг, захват экрана, сбор и передача конфиденциальных данных.
Примечательно, что, судя по представленному отчету, злоумышленники могли использовать LLM для преобразования вредоносного ПО NightshadeC2 из языка C в Python. Также некоторые варианты малвари (в том числе на Python) используют URL-адреса Steam для связи с С2.
Подробности (https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2).
Специалисты eSentire описали новый ботнет/инфостилер — NightshadeC2
#blue_team #botnet #NightshadeC2
Заражение происходит через поддельные лендинги (ClickFix) и измененные сборки популярного ПО вроде CCleaner, Advanced IP Scanner или VPN-клиентов. На компьютер жертвы попадает файл updater.exe, представляющий собой зашифрованный и упакованный бинарник.
MalwareAlias
Who Let The Dogs Out 🐾
The Threat Codex