Cybersecurity research teams have uncovered a cross-site scripting (XSS) vulnerability in StealC' web-based administration panel, which is used by those who run the stealers of an organization's information. By exploiting this vulnerability, they were able to turn the tables on these attackers.
They discovered how to use this same flaw to collect system fingerprints, monitor live sessions, and download session cookies from the attacker's infrastructure, which was originally developed to collect and store stolen information from victims of cybercrime. CyberArk researcher Ari Novick termed this "the ultimate example of irony," for the reason being that the thieves (i.e., those who steal cookies) had evidently not secured their own cookies.
The origin of StealC and its operation
The StealC malware was first made available to users via a MaaS (malware as a service) in January 2023. Its operators do not provide the user with a copy of the malware to install so the user must create their own method of distributing it to victims.
The most common way to distribute StealC is through video advertisements on YouTube that promote illegal software downloads (also known as the YouTube Ghost Network).
As time went on, there were several ways to distribute StealC including:
1. Using fake files from the Blender Foundation
2. Using social engineering through FileFix
3. Creating false CAPTCHA and ClickFix traps
As the malware has evolved so too has the operation of StealC through:
1. The introduction of Telegram bot notifications
2. Better methods for delivering payloads
3. Redesigned Control Panel (StealC V2)
How the XSS Vulnerability Changed the Game
The breakthrough came after the source code for StealC’s admin panel leaked, giving researchers a chance to study its internals.
Although the exact exploit details were withheld to avoid misuse, the vulnerability allowed JavaScript execution within the panel classic client-side injection caused by insufficient input validation.
Researchers were able to see the following things:
1. Active Operator Sessions
2. Browser Cookies
3. Hardware and System Fingerprints
4. Language/Region
Coincidentally, some basic security controls were not used; for example, httpOnly cookie flags were not indicated for the session, making session-takeover very simple to do.
Profiling a StealC Customer called "YouTubeTA"
One of the StealC customers that we will discuss is an actor named YouTubeTA.
YouTubeTA, relied heavily on YouTube to release false crack files to the following products:
1. Photoshop
2. After Effects
Their operation collected:
1. Over 5,000 infection logs
2. 390,000 stolen passwords
3. More than 30 million cookies
Most cookies were non-sensitive tracking data, but the scale enabled account takeovers, allowing compromised YouTube channels to promote more malicious content—creating a self-reinforcing infection loop.
Some operational errors were made by the operator
The analysis of the panels also determined:
1. There was only one admin user.
2. The admin user system contained an Apple M3 processor.
3. There were active English and Russian language settings.
The threat actor made a critical operational error when he connected to the panels without a VPN and revealed his actual IP address which was connected to a Ukrainian ISP. The threat actor is most likely located in Eastern Europe where Russian is the primary language.
The research presented here demonstrates how the MaaS ecosystem is evolving:
as the MaaS ecosystem increases in size, it will allow attackers to increase their capabilities rapidly, but it will also expose attackers to the same level of risk in terms of security as legitimate businesses experience in the software industry.
Poor coding and rushed software releases are the same vulnerabilities that create opportunities for both the cyber defenses of legitimate businesses and for law enforcement agencies to gain access through the exploitation of the operational weaknesses of these platforms.
In conclusion, based on CyberArk's findings, the aforementioned vulnerabilities that exist in the platform used by CyberArk can also likely exist in other platforms used by cybercriminals, thereby creating an opportunity for law enforcement to identify the operators, map their networks, and disrupt their infrastructure.
Source: The Hacker News