SVC New Stealer on the Horizon

SvcStealer 2025 is a new strain of information stealers, which is delivered through spear phishing email attachments. We observed SvcStealer malware campaign activity at the end of January 2025. This malware author harvests sensitive data such as machine data, installed software, user credentials and target cryptocurrency wallets, messaging application, browsers data etc. Sends the gathered data to the TA C2 panel and could download another malware family from the C2 server.

SvcStealer malware threat actors could sell the gathered details in underground forums as well as criminal marketplaces.

Technical Analysis:

 Seqrite has observed the SvcStealer malware in the wild during threat hunting. This malware was written in Microsoft Visual C++ programming language. Initially, the malware forms 11 bytes alphanumeric value by obtaining volume serial number of the victims host root directory and as shown in fig 1 doing arithmetic operation on the obtained volume serial number.

Fig:1 Generates folder name

 

 

After which malware verifies if 11 bytes alphanumeric named folder is already existing in the  “C:ProgramData “ location. It will create a folder in this location if it does not exist, terminate its behavior to avoid the same malware instance running in victims system, similar to creating a mutex.

 

Fig:2 creating folder

 

 

Once it creates this folder, the malware terminates the below processes found running on the system to avoid monitoring by system administrator and security analyst.

Process name: Taskmgr.exe, ProcessHacker.exe, procexp.exe, procexp64.exe

 

 

 

Fig 3:Terminating the process

 

After that it harvests the cryptocurrency wallets data from the victim host machine and save the details in  “Wallets” folder.

 

 

 

 

Fig 4: harvesting Wallet’s data

 

Similarly it harvests the data of targeted messaging software, FTP client, browsers[passwords,CreditCards details,histroy ,etc ], also system information[System_info.txt], user credentials, installed application details[Software_Info.txt], processes running on the victim’s host[Windows_Info.txt] along with PID etc., capturing screenshots [Screenshot.jpg] , targeted files [extension] in the victim host and store those extracted details in the folder shown in fig 2.

 

List of targeted messengers: 64gram, Discord, Telegram, Tox

List of targeted browsers: Microsoft Edge, Brave, Chromium, Google Chrome, Chrome Canary, Opera, Opera GX, Opera Crypto, Vivaldi, Yandex, Comodo, UC Browser.

List of targeted File extensions: .jpg,.pdf,.docx,.csv,.sql,.cpp,.h,.dat,.wallet,.pkey

 

Fig 5: collected info details

 

 

 

Fig 6: obtaining system details by SvcStealer

 

Once it collects all the information from victim’s host, it compresses “C:ProgramData64A6547CE12C1013156883” folder as Zip file, shown in fig 7.

 

 

Fig 7: compressing info collected file

 

After that, it tries to establish a connection to C2 server at port number 80. Once the C2 server connection has been established, TA uploads the collected details in the Post request and registers victim machine in C2 panel. If the C2 server session is not yet created it waits for 5 seconds [sleep method] and keeps on beacon to C2 server until it gets a successful session.

 

Fig 8: Sending harvested details to C2 server

 

Once it sends those collected details to the C2 server, it deletes the compressed zip file and malware stored files in “C:ProgramData64A6547CE12C1013156883” to wipe out the traces, for avoiding security analyst and security tools to trace them.

 

 

Fig 9: Deleting traces of folder

 

It generates UID by creating folders from volume serial number as shown in the fig 2 [ TA uses this UID as command of screenshot capture of victim machine] then malware beacons to the C2 panel until it gets a successful session by waiting for 5 seconds sleep time. It has two C2 IP addresses as an alternative IP address in case the first C2 domain is not reachable.

 

Fig 10: beacon to C2 panel [alternative IP address]

Once it successfully establishes the connection to C2 server, It takes the screenshot and saves it in the “location C:UsersusernameAppDataRoaming” as a Screenshot.jpg file, then sends that captured screenshot to C2 panel through the Post request.

 

 

Fig 11: Sending captured details to C2 panel

 

Like UID, this malware sends tsk[task command] to the C2 panel. Once the malware receives response from C2 server, it will  download  files from the TA mentioned URL, which is mentioned in the response from C2 server and copy that downloaded file as temp_[4 digit numeric number based on current system time].exe  either in C:UsersusernameAppDataLocalTemp or C:UsersusernameAppDataRoaming [which also mentioned in the response from C2 server] and executes that downloaded file via ShellExecuteW. The malicious C2 domain was not reachable at the time of analysis. Possibility of downloading another malware.

                     

Fig 12: Downloading another malware family

IOCS:

0535262fe0f5413494a58aca9ce939b2

ee0fd4d6a722a848f31c55beaf0d0385

05ef958a79150795d43e84277c455f5d

4868a5a4c8e0ab56fa3be8469dd4bc75

/svcstealer/get[.]php

185[.]81[.]68[.]156

176[.]113[.]115[.]149

 

Detections:

            TrojanSpy.SvcStealer.S35070558, TjnSpy.SvcStealer.S35070557

 

Yara rule :

 

import “pe”

rule SvcStealer

{

strings:

 

$svc1={88 44 24 5A 69 C0 CF 1C 13 00 2D D1 DE A9 68 88 44 24 5B 69 C0 CF 1C 13 00 2D D1 DE A9 68 88 44 24 5C 69 C0 CF 1C 13 00 2D D1 DE A9 68 88 44 24 5D}

$svc2={2f737663737465616c65722f6765742e706870}

$svc3=”SvcStealer” wide ascii

$svc4={53 63 72 65 65 6E 73 68 6F 74 2E 6A 70 67}

 

condition:

all of them

 

 

}

 

MITRE ATTACK TTPs:

 

Tactic Technique / Procedure
Initial Access T1566.001:Phishing:Spearphishing Attachment    
Defense Evasion T1070.004:Indicator Removal:File Deletion
Credential Access T1056.001:Input Capture:Keylogging
T1552.001:Unsecured Credentials:Credentials In Files
Discovery T1012:Query Registry
T1518:Software Discovery
  T1057:Process Discovery
          T1082:System Information Discovery
  T1083:File and Directory Discovery
Collection  T1560:Archive Collected Data
T1056.001:Input Capture:Keylogging
T1113:Screen Capture
Command and Control T1071:Application Layer Protocol

 

 

 

 

Conclusion:

 

Threat actors deliver this malware through spear phishing in which attached is malicious documents/Excel, executable binary, users should avoid opening such suspicious emails. SvcStealer malware developer could act as an initial access broker [IAB]. This malware implements evasive techniques by deleting malware created files and folder traces and kills the processes. This malware could also download additional payload such as botnet etc. Ensuring only one instance is running in the victim’s machine by generating [via volume serial number] folder name.

 

 

The post SVC New Stealer on the Horizon appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.