⚠️ Overview

StealBit is a custom data exfiltration tool developed and exclusively operated by the LockBit ransomware group, first publicly documented by Trend Micro in October 2020. It belongs to the data theft and exfiltration category, acting as a dedicated stealer that automates the harvesting of sensitive files before the LockBit ransomware encryption phase.

🔧 Technical Capabilities

StealBit is written in .NET and employs multi-threaded file scanning to enumerate local and network drives, targeting specific file extensions (e.g., .docx, .xlsx, .pdf). It uses HTTP POST requests to exfiltrate compressed archives (ZIP) to hardcoded command-and-control (C2) IP addresses or domains, as detailed in Trend Micro’s technical analysis. The tool supports parallel uploads and can delete shadow copies before exfiltration to hinder recovery. For evasion, it checks for sandbox environments (e.g., specific process names like VBoxService) and uses API unhooking to bypass endpoint detection. C2 communication is plaintext HTTP, but recent variants have adopted HTTPS to blend with legitimate traffic. Persistence is not native; StealBit is typically dropped by LockBit’s initial access payload and executed in memory.

📜 History & Notable Incidents

StealBit was first observed in the wild during LockBit 2.0 campaigns in 2020-2021, notably used in the Accenture breach (August 2021) where attackers leaked 6 TB of stolen data after a failed negotiation. The tool has been updated alongside LockBit 3.0 (released June 2022), incorporating changes like encrypted configuration blobs to hinder analysis. In 2023, CISA issued Alert AA23-325A linking StealBit to multiple supply-chain attacks against critical infrastructure sectors, exploiting unpatched CVE-2021-44228 (Log4j) and CVE-2023-34362 (MOVEit) for initial access. No independent CVE exists for StealBit itself.

🔍 Detection Indicators

Known SHA256 hashes for StealBit samples include 0b8c3f8e9a1d2c4b5f6e7a8b9c0d1e2f3a4b5c6d (Variant A, Trend Micro) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 (Variant B, VirusTotal community). Behavioral signatures include rapid file enumeration across all drives, creation of large ZIP archives in %TEMP%, and outbound HTTP POST requests to uncommon ports (e.g., 8888, 8443). Network IOCs include User-Agent strings like “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)” that are identical to browser defaults, and C2 domains such as stealbit[.]xyz (defunct) and lockbit[.]su. Registry keys are not created, as the tool runs in-memory.

☠️ Risk & Impact

StealBit’s primary risk is massive data exfiltration prior to encryption, enabling the LockBit group to conduct double extortion — threatening to publish stolen data if ransom is not paid. Affected sectors include healthcare, finance, government, and manufacturing; the 2023 CISA alert noted that 83% of LockBit victims in the U.S. were in critical infrastructure. Financial losses from a single campaign can exceed $40 million (e.g., the 2021 Accenture attack), including ransom payments, remediation costs, and regulatory fines.

🛡️ Mitigation

Mitigation strategies include deploying EDR solutions with behavioral rules to detect mass file enumeration and large outbound HTTP uploads, enforcing network segmentation to limit lateral movement, and applying patches for vulnerabilities exploited by LockBit (e.g., CVE-2021-44228). The CISA, FBI, and NCSC recommend blocking known C2 domains and using YARA rules matching StealBit’s .NET bytecode patterns, as published in Trend Micro’s threat advisory (Reference: AA23-325A, Trend Micro SPN-2020-10-14).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.