Cyber Security BlogsLuca Stealer Making Waves in the Cyber Threat Landscape
Launching new products generates excitement and eagerness among consumers, who eagerly anticipate the latest technological innovations and advancements. However, this excitement also attracts malicious intent.
Threat Actors (TAs) often take advantage of the hype surrounding new product releases to carry out their devious schemes. These cybercriminals create deceptive phishing sites that impersonate legitimate platforms, seeking to compromise users’ security and privacy. Through these fraudulent websites, TAs deliver malware payloads disguised as genuine applications, leading to potentially severe consequences for unsuspecting users.
Cyble Research and Intelligence Labs (CRIL) has recently discovered a phishing website with the URL “hxxps[:]//microsoft-en[.]com/cryptowallet/,” which is deceptively posing as the legitimate Microsoft Crypto Wallet platform. The main victims targeted by this fraudulent site are cryptocurrency enthusiasts. The site employs a clever disguise, prompting users to download an executable file that supposedly represents the official Crypto Wallet.
Unfortunately, beneath the facade of offering a cutting-edge cryptocurrency solution, this deceptive website harbors a malicious InfoStealer named “Luca Stealer.” The primary purpose of Luca Stealer is to gather sensitive information and personal data from unsuspecting users covertly.
The below figure shows the Microsoft Crypto Wallet phishing site.
Figure 1 – Phishing Site
Several months ago, news surfaced regarding Microsoft’s plan to develop a Crypto Wallet exclusively for its Edge browser. In light of this development, a concerning phishing site depicted in Figure 1 has come to our attention.
Although the exact motives behind the creation of this phishing site remain unclear, there are indications that a threat actor (TA) could be exploiting the news to carry out malicious attacks.
One notable detail on the phishing site is the reference to a beta version of the Crypto Wallet application. This mention further strengthens the possibility that the TA is taking advantage of Microsoft’s Crypto Wallet development to lure users into their trap. The attackers aim to deceive users into believing they are accessing an authentic platform by impersonating a legitimate source and referencing the beta version.
Analysis
The file downloaded from this site (SHA256:
480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1) is 64-bit executable.
The figure below shows the file details.
Figure 2 – File Details
Through our investigation, we identified the executable as Luca Stealer. This determination was primarily based on the existence of a significant number of identical strings present in both the suspect executable and the known Luca Stealer source code. This malware is crafted using the Rust programming language, and it initially surfaced on cybercrime forums in the year 2022.
Moreover, our earlier blog shed light on the source code for Luca Stealer, which was openly shared and made available on a cybercrime forum.
The figure provided below clearly illustrates the shared strings that were instrumental in our identification process.
Figure 3 – Common Strings
Luca Stealer has garnered increasing popularity within cybercrime forums due to its open-source nature and being developed in Rust. As a result, multiple TAs have joined forces to enhance its functionalities and optimize its performance.
Notably, the source code of this malware has been observed on various platforms, with GitHub and TOR being prominent hosts. This widespread distribution ensures that the code remains easily accessible to a wide range of potential TAs.
The availability of the source code on these platforms facilitates modifications and customizations, allowing TAs to create tailored versions of the malware to suit their nefarious objectives.
Figure 4 – Hosted on Different Platforms
During closer examination, a significant update to this stealer revealed the implementation of two noteworthy techniques – Clipper and AntiVM.
The introduction of Clippers marked a concerning development as it enables TAs to intercept and manipulate cryptocurrency addresses during transactions. Through this malicious maneuver, funds intended for one recipient are diverted to the attacker’s wallet instead, resulting in significant financial losses for the victim.
What sets this Clipper apart is its versatility. While its primary focus is cryptocurrency theft, it does not limit its targets to only cryptocurrencies. Instead, it also extends its reach to target IBANs (International Bank Account Numbers). By doing so, the Clipper expands its potential victims to include those engaged in traditional banking transactions, amplifying the risks for a broader range of users.
The scope of the Clipper’s cryptocurrency targets is extensive, comprising popular cryptocurrencies such as XMR, BNB, TRX, ETH, BTC, DOGE, BCH, LTC, DASH, XRP, ADA, TON, NEO, ETC, SOL, ZEC, ALGO, and XLM. By focusing on these high-value cryptocurrencies, the attackers aim to maximize their illicit gains and capitalize on the widespread usage and investment in these digital assets.
AntiVM is a defense evasion technique using which TAs can prevent the execution of malware in a virtualized environment. We have observed an additional AntiVM technique in this stealer, which sets it apart from the older binary version.
This variant of Luca stealer now checks the system temperature using a WMI query, specifically using the command “SELECT * FROM MSAcpi_ThermalZoneTemperature”.
Most virtual machines return an error when executing the query “SELECT * FROM MSAcpi_ThermalZoneTemperature.” As a result, the malware uses this strategy to skip the execution in virtualized environments. This behavior assumes that the absence of valid temperature data or the occurrence of errors indicates that the system is running in a virtualized environment. As a result, the malware tries to remain undetected and evades potential security measures that could be triggered in virtual machine setups.
This technique has been employed in the past by malware strains such as GravityRAT.
The figure below illustrates the WMI query used by the stealer.
Figure 5 – WMI Query
This stealer targets the following cold crypto wallets:
AtomicWallet
Exodus
JaxxWallet
Electrum
ByteCoin
This stealer variant targets the following browsers.
Edge
Chedot (Chedot)
Elements Browser
Torch
Opera
Chromium
Chrome Canary
Epic Privacy Browser
UC Browser
Opera Stable
7star
Chrome SxS
Chrome
Uran
Opera GX
Amigo
Google Chrome
Kometa
CozMedia
ChromePlus
Brave
CocCoc Browser
Orbitum
Vivaldi
Mapple Studio
CentBrowser
Dragon (Comodo Dragon)
Sputnik
Atom
Iridium
Sleipnir 5
Citrio
WooGamble
Qip Surf
360browser
Following the stealer targets Browser extensions.
EOS Authenticator
Norton Password Manager
Sollet
Leaf Wallet
Bitwarden
Avira Password Manaager
ICONex
Cyano Wallet
KeePassXC
Trezor Password Manager
KHC
Cyano Wallet Pro
Dashlane
MetaMask
TezBox
Nabox Wallet
1Password
TronLink
Byone
Polymesh Wallet
NordPass
BinanceChain
OneKey
Nifty Wallet
Keeper
Coin98
DAppPlay
Liquality Wallet
RoboForm
iWallet
BitClip
Math Wallet
LastPass
Wombat
Steem Keychain
Coinbase Wallet
BrowserPass
MEW CX
Nash Extension
Clover Wallet
MYKI
NeoLine
Hycon Lite Client
Yoroi
Splikity
Terra Station
ZilPay
Guarda
CommonKey
Keplr
Sollet
EQUAL Wallet
Zoho Vault
Norton Password Manager
ICONex
BitApp Wallet
To fetch the IP of infected system, this stealer makes a GET request to hxxps://myip[.]ch. The figure below shows the network activity.
Figure 6 – GET Request
Once it gathers the targeted information, it compresses the data to streamline its transfer process. To send the stolen data discreetly, the malware leverages a telegram bot, utilizing the Telegram messaging platform as a covert communication channel. Furthermore, it sends chat messages containing statistical information about the stolen data. Although straightforward, this functionality provides the attacker with real-time updates on the quantity and nature of the compromised data.
Conclusion
Luca Stealer shares several key characteristics typical of InfoStealers, but what sets it apart is its specialized emphasis on targeting data associated with cryptocurrency wallets and password management software. This refined focus highlights the malicious intent to exploit the growing popularity and value of cryptocurrencies, as well as the potential for acquiring sensitive login credentials.
The fact that Luca Stealer’s source code is open source further compounds the concern. As more TAs gain access to the codebase, the potential for customization and adaptation of the malware increases significantly. This accessibility allows cybercriminals to create unique variants and modify the behavior of Luca Stealer to suit their specific objectives. Consequently, we can expect a continuous surge in the number of stealer binaries targeting users.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., typically contains such malware.
Use strong passwords and enforce multi-factor authentication wherever possible.
Turn on the automatic software update feature on your computer, mobile, and other connected devices.
Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
Refrain from opening untrusted links and email attachments without first verifying their authenticity.
Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
Tactic
Technique ID
Technique Name
Initial Access
Phishing
Execution
User Execution
Defense Evasion
Virtualization/Sandbox Evasion
Credential Access
Credentials from Password Stores
Steal Web Session Cookie
Unsecured Credentials
Collection
Screen Capture
Discovery
T1087
T1518
T1057
T1124
T1007
T1614
T1120
Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery
Peripheral Device Discovery
Command and Control
Non-Standard Port
Non-Application Layer Protocol
Exfiltration
Exfiltration Over C2 Channel
Indicators of Compromise (IoCs):
Indicators
Indicator type
Description
hxxps[:]//microsoft-en[.]com/cryptowallet/cryptowalletinstaller[.]exe hxxps[:]//microsoft-en[.]com/cryptowallet/
URL
Phishing Site
2753fea9125455e452e1951295158bc5 4238700742f6540119fc40f8f001fa1b5da99425 480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1
MD5
SHA1 SHA256
Luca Stealer
The post Fabricated Microsoft Crypto Wallet Phishing Site Spreads Infostealer appeared first on Cyble.
