Cyber: Stealc Hackers Hacked As Researchers Hijack Malware Control Panels

A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers’ hardware.

StealC emerged in early 2023 with aggressive promotion on dark web cybercrime channels. It grew in popularity due to its evasion and extensive data theft capabilities.

In the following years, StealC's developer added multiple enhancements. With the release of version 2.0 last April, the malware author introduced Telegram bot support for real-time alerts and a new builder that could generate StealC builds based on templates and custom data theft rules.

Around that time, the source code for the malware's administration panel was leaked, giving researchers an opportunity to analyze it.

“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers say.

CyberArk did not disclose specific details about the XSS vulnerability to prevent StealC operators from quickly pinpointing and fixing it.

The report highlights one case of a StealC customer, referred to as ‘YouTubeTA’, who hijacked old, legitimate YouTube channels likely using compromised credentials, and planted infecting links.

Screenshots from the threat actor’s panel indicate that most infections occurred when victims searched for cracked versions of Adobe Photoshop and Adobe After Effects.

By leveraging the XSS flaw, the researchers could determine that the attacker used an Apple M3-based system with English and Russian language settings, used the Eastern European time zone, and was accessing the internet via Ukraine.

Their location was exposed when the threat actor forgot to connect the StealC panel through VPN. This revealed their real IP address, which was linked to Ukrainian ISP TRK Cable TV.

Source: BleepingComputer