Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Statc Stealer: Decoding the Elusive Malware Threat

SHIVAM SHARMA, AMANDEEP KUMAR
August 08, 2023 - 10 min read

Introduction

Recently, while tracking global threat activity, the Zscaler ThreatLabz team discovered a new information stealer family called: Statc Stealer. Statc Stealer is a sophisticated malware that infects devices powered by Windows, gains access to computer systems, and steals sensitive information.

In this comprehensive technical blog post, we unravel the intricate workings of Statc Stealer. By understanding its distribution methods and evasion techniques, we aim to equip you with the knowledge to secure your data against Statc Stealer. We’ll cover the following:

  • Key Takeaways
  • Description
    • Potential for harm
    • Technical details
  • Attack Chain
  • Technical Analysis
    • Evasion using anti-analysis technique
    • Theft and exfiltration of data
    • Transfer and storage of stolen data
  • Other unusual activity
  • Zscaler Coverage
    • Zscaler sandbox coverage
    • MITRE ATT&CK mapping
  • Conclusion
  • Indicators of Compromise (IOCs)

Key Takeaways

  • Stealing Capabilities: Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat. It can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram.
  • Code and Evasion: The stealer utilizes C++ code, a common programming language for malware development. The stealer performs filename discrepancy checks to inhibit sandbox detection and reverse engineering analysis by researchers.
  • Architecture and Ideal Target: Statc Stealer targets Windows operating systems and predominantly focuses on browsers used on Windows devices for stealing sensitive information.
  • Encryption for Stealth: The malware leverages HTTPS encryption to hide its activities. Statc Stealer uses HTTPS protocol to send stolen, encrypted data to the command-and-control (C&C) server.

Description

Potential for harm

The Zscaler ThreatLabz team recently discovered Statc Stealer. This malicious software gains access to a victim’s data by appearing like an authentic Google advertisement. Once the victim clicks on the advertisement, their operating system is infected with malicious code that steals sensitive data like credentials from web browsers, credit card information, and cryptocurrency wallet details. Unauthorized access to a victim’s computer system can have enormous personal and professional repercussions. Victims become easy targets for identity theft, cryptojacking, and other forms of malware attacks. At the enterprise level, a Statc Stealer breach can result in financial loss, reputational damage, legal liabilities, and regulatory penalties.

 

Technical details

Statc Stealer gets started with an initial dropper. The initial dropper drops a decoy PDF installer and a downloader binary file. Then, the downloader binary file further downloads Statc Stealer using a PowerShell script. At a glance, both of these malicious files appear like legitimate software. However, once Statc Stealer is able to infect the victim’s device, it begins to steal data, encrypt it, and send it to its command-and-control (C&C) server. 

In addition, Statc Stealer utilizes evasion techniques to thwart attempts at reverse engineering the malware, making it harder to detect.

 

Attack Chain 

Statc Stealer follows an attack chain that leverages malvertising to disseminate malicious files. The attack chain begins with an innocuous-looking advertisement within the victim's Google Chrome browser. Clicking on the malicious link results in downloading the Statc Stealer’s initial sample file, kicking off the malware infection. The attack chain operates as follows:

  1. A user is tricked into clicking on a malicious link somewhere on their Google Chrome browser (typically an advertisement).
  2. The user inadvertently downloads the Initial Sample file. 
  3. After the malicious file executes, the Initial Sample drops and executes a Decoy PDF Installer. 
  4. To facilitate the download of the Statc payload through a PowerShell script, the Initial Sample file also drops and executes a Downloader Binary file.
  5. Once Statc Stealer steals the user’s data, it encrypts the data, puts it in a text file, and stores it in the Temp folder.
  6. From here, Statc Stealer calls on its C&C server to deliver the stolen encrypted data.

Image

Figure 1: Statc Stealer attack chain

 

 

Initial Sample URL

The URL below is malicious and shows where the initial sample is downloaded.

95[.]217[.]5[.]87[/]Setup64_new0[/]Version2023-new[.]exe

 

Payload URL

The URL below is malicious and shows the domain from where the Statc payload is downloaded.

check[.]topgearmemory[.]com

In the screenshot below, the address bar contains the malicious URL. You can see how the Statc Stealer payload imitates an MP4 file format. The use of MP4 format to disguise malicious behavior lends Statc Stealer an innocent appearance, making it harder for traditional security measures to detect its true intent.

Image

Figure 2: Malicious URL used to download Statc Stealer payload

 

Technical Analysis

Evasion using anti-analysis techniques

Typically, info stealers like Statc Stealer employ sophisticated techniques to avoid detection and persist on the victim’s machine.

We found one anti-analysis technique while analyzing Statc Stealer:

  • The sample looks for its original file name
  • Checks whether its file name is the same as its internal name 
  • Stops executing if it finds differences

Essentially, if Statc Stealer discovers that you’ve changed or updated its malicious files, then it stops in its tracks. 

The code example in the image below shows how:

  • The sample used a FileName check
  • The sample compares the file name with a hardcoded encrypted string

Image  

Figure 3:  File name comparison code

 

Theft and exfiltration of data

Stealing activity

Statc Stealer has a general information stealing capability. It’s able to take sensitive information from various browsers and wallets, and then store the data in a text file inside a Temp folder.

Using the python script we mentioned above, we decrypted Statc Stealer’s encrypted strings.

The image below shows various references to “wallets'' and “crypto”, indicating that sensitive cryptocurrency information has been compromised.

Image

Figure 4:  Decrypted strings using python script

 

 

Encrypted strings

Image

Figure 5:  Encrypted strings 

 

Decrypted strings