Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations.
“By exploiting it, we were able to collect system fingerprints, monitor active sessions, and – in a twist that will surprise no one – steal cookies from the very infrastructure designed to steal them,” CyberArk researcher Ari Novick said in a report published last week.
StealC is an information stealer that first emerged in January 2023 under a malware-as-a-service (MaaS) model, allowing potential customers to leverage YouTube as a primary mechanism – a phenomenon called the YouTube Ghost Network – to distribute the malicious program by disguising it as cracks for popular software.
Over the past year, the stealer has also been observed being propagated via rogue Blender Foundation files and a social engineering tactic known as FileFix. StealC, in the meantime, received updates of its own, offering Telegram bot integration for sending notifications, enhanced payload delivery, and a redesigned panel. The updated version was codenamed StealC V2.
Weeks later, the source code for the malware’s administration panel was leaked, providing an opportunity for the research community to identify characteristics of the threat actor’s computers, such as general location indicators and computer hardware details, as well as retrieve active session cookies from their own machines.
The exact details of the XSS flaw in the panel have not been disclosed to prevent the developers from plugging the hole or enabling any other copycats from using the leaked panel to try to start their own stealer MaaS offerings.
In general, XSS flaws are a form of client-side injections that allows an attacker to get a susceptible website to execute malicious JavaScript code in the web browser on the victim’s computer when the site is loaded. They arise as a result of not validating and correctly encoding user input, allowing a threat actor to steal cookies, impersonate them, and access sensitive information.
“Given the core business of the StealC group involves cookie theft, you might expect the StealC developers to be cookie experts and to implement basic cookie security features, such as httpOnly, to prevent researchers from stealing cookies via XSS,” Novick said. “The irony is that an operation built around large-scale cookie theft failed to protect its own session cookies from a textbook attack.”
CyberArk also shared details of a StealC customer named YouTubeTA (short for “YouTube Threat Actor”), who has extensively used Google’s video sharing platform to distribute the stealer by advertising cracked versions of Adobe Photoshop and Adobe After Effects, amassing over 5,000 logs that contained 390,000 stolen passwords and more than 30…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
