A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers’ hardware.
StealC emerged in early 2023 with aggressive promotion on dark web cybercrime channels. It grew in popularity due to its evasion and extensive data theft capabilities.
In the following years, StealC's developer added multiple enhancements. With the release of version 2.0 last April, the malware author introduced Telegram bot support for real-time alerts and a new builder that could generate StealC builds based on templates and custom data theft rules.
Around that time, the source code for the malware's administration panel was leaked, giving researchers an opportunity to analyze it.
CyberArk researchers also discovered an XSS flaw that allowed them to collect browser and hardware fingerprints of StealC operators, observe active sessions, steal session cookies from the panel, and hijack panel sessions remotely.
“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers say.
“Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines.”
The StealC builder panel
Source: CyberArk
CyberArk did not disclose specific details about the XSS vulnerability to prevent StealC operators from quickly pinpointing and fixing it.
... continue reading