StealC InfoStealer Spread By Fake App “VDeck”

WARNING: All links have been defanged for security reasons. Please do not attempt to re–fang any link, if you choose to ignore this warning you do so at your own risk.

Introduction

On 16 May 2024, zeroShadow was approached by one of our clients, who had an employee (hereafter referred to as “the victim”) report a security incident involving the detonation of malware on their machine. zeroShadow investigated the incident for intelligence purposes and this report details our findings.

The victim was contacted on X (formerly Twitter) by an unknown person asking for their advice regarding a “metaverse application” they were reportedly involved with. This conversation ultimately concluded in the threat actor sending a link to a supposed video conference application called “VDeck”, and a request for the victim to book a meeting.

The link provided was:

httpx://vdeck[.]app

Looking into VDeck

The VDeck website is still active, and the domain was created on 29 January 2024.

Upon interacting with the website and attempting to book a meeting, an .exe file was downloaded to the victims machine. This file was hosted on DropBox, a legitimate file storage and sharing service.

VDeck Setup.exe

MD5: 3c3e393dbe67c388d63af77a8fd1010a

SHA-256: c29f6ca9ca0cbe27b9da4499d70add923459d23e69a701772530331a43cd71f8

A search for “VDeck” reveals a larger campaign designed to market the application as genuine.

This includes a Trustpilot page, that is manipulated with fake reviews:

httpx://www.trustpilot[.]com/review/vdeck.app

As well as two profiles on X:

The @VDeck_call profile contains multiple posts, which also have comments from fake/bot accounts, further designed to present VDeck as a genuine application.

A wider search on X shows the user @RyKinderCrypto kindly warning others about VDeck and its campaign targeting members of the Web3/crypto community.

It is clear that VDeck is a large campaign specifically targeting members of the web3/crypto community and is fairly sophisticated. It involves a website, verified X accounts, and a myriad of fake/bot profiles across social media, designed to portray the application as genuine.

StealC and Infostealers

Upon detonation of the malware, the victim immediately realized something was wrong, due to a window quickly appearing and disappearing on their machine, and they subsequently noticed a zipped folder within their directory, indicating that files had been prepared for exfiltration.

The malware was examined and has been identified as an infostealer called “StealC”.

Infostealers are often described as commodity malware, or malware-as-a-service (MaaS), meaning that they are a product which is sold to buyers, rather than malware developed and used by a specific threat actor. Infostealers are commonly sold via Telegram channels and on deep/dark web marketplaces, the ease of purchasing and using an infostealer has significantly lowered the barrier to entry for cyber attacks. 

StealC is a common variant, and is sold for as little as $200 USD per month, on a subscription basis. 

While infostealers are all similar, StealC is commonly used to target the Web3/crypto community, as it is specifically designed to target a vast array of wallets and applications, stealing private keys and configurations, which can then be used to drain wallets!

The threat intelligence team at Sekoia have previously produced an excellent analysis of StealC (Part 1, Part 2).

StealC is capable of targeting a wide array of password manager and crypto wallet extensions and applications, including popular staples such as:

• Your browser password manager

• Bitwarden

• LastPass

• KeePass

• DashLane

• NordPass

• Keeper

• MetaMask

• Binance

• Coinbase

• Rabby

• Ronin Wallet

• Brave Wallet

• OKX Wallet

• Trezor

• Opera Wallet

• Wasabi Wallet

• Electrum

• Exodus

• Electron

• Atomic

• Coinomi

Please note that this is not an exhaustive list, and StealC and other infostealers are in continuous development and are therefore constantly adding to their capabilities.

The data which is exfiltrated by infostealers, can either be abused by the initial threat actor, or alternatively, the data is sold to other criminals for use in theft and fraud. Marketplaces for this data exist on Telegram and the deep/dark web, with access to infostealer data costing as little as $70 USD per month.

What can you do?

Prevention is key:

• Beware of messages you receive via email or on social media that contain links or files, sophisticated attackers will use social engineering to promote user interaction.

• Be cautious of adverts on search engines and across the internet, they may be malicious, even if they appear genuine.

• Do not trust the results of a search engine, just because the results are ranked highly, always carefully check the URL.

• Avoid pirated media, torrents and freeware type sites which often contain malicious content and payloads.

Everyone can make mistakes, so you should also make use of security solutions such as antivirus and endpoint detection and response, and have plans on how to respond to incidents involving infostealers, including how to safeguard wallets and use the services of Web3 security specialists like zeroShadow.

If you experience an infostealer infection:

• Consider the device as compromised until it can be wiped and assessed for the persistence of any malware.

• Quickly take action to change all of your exposed passwords.

• Secure your crypto tokens and assets, your private keys are now likely compromised.

• Kill all active login sessions across services, as stolen cookies can be used to hi-jack these.

• Ensure that multi-factor authentication (MFA) is activated wherever possible, we highly recommend using authenticator applications or hardware solutions over email and SMS.

• Advise your friends, family and colleagues to be cautious of any contact from your accounts.

• Engage the services of a web3 incident response specialist such as zeroShadow.

Original article by the zeroShadow team