Threat Research

Cyble – LOLI Stealer – Golang-based InfoStealer Spotted In The Wild

Securonix

New Stealer Being Sold Via MaaS Model

Cyble Research Labs has been actively monitoring various Stealers and blogging about them to keep our readers aware and informed. Recently, we came across a malware sample which turned out to be a new malware variant named “LOLI Stealer.”

LOLI Stealer is an Info Stealer that steals sensitive information such as passwords, cookies, screenshots, etc., and exfiltrates this data from the victim’s machine.

LOLI Stealer initially surfaced on cybercrime forums around June 2022. The post made by the TA on a cybercrime forum is shown below.

Figure 1 – TAs post on a cybercrime forum about LOLI Stealer
Figure 1 – TA’s post on a cybercrime forum about LOLI Stealer

The figure below shows one of TA’s advertisements in a cybercrime forum.

The TA sells this stealer for fairly low prices, as listed below:

  • 499 rubles (~9USD)      – a month
  • 799 rubles (~14USD)    – 2 months
  • 1499 rubles (~25USD) – lifetime + universal sorter as a gift
Figure 2 Advertisement used by TA
Figure 2 – Advertisement used by TA

Additionally, the TA has claimed that the stealer has the following features in their post:

  • Stealing passwords, cookies, histories, etc. from a huge number of browsers based on Gecko/Chromium
  • Gathering wallet information from 10 cryptocurrency wallets,
  • Extracting session data from the Telegram and Steam applications.

The below figure shows the post made by the TA on a cybercrime forum.

Figure 3 LOLI Stealer features
Figure 3 – LOLI Stealer features

Through the course of our research, we have identified over 20 different samples related to LOLI malware since June 2022, indicating that the malware has been actively deployed in recent weeks.

The below figure shows the LOLI stealer’s active C&C panel.

Figure 4 LOLI Stealer Panel
Figure 4 – LOLI Stealer Panel

Technical Analysis

We have taken the below sample hash for our analysis: (SHA256), 595142ac0ecaf32e5cd9a477f440bac99b52dcc6c2fa083424d5007fdf0caeec, which is a 64-bit executable file packed with UPX.

After conducting a string analysis of the unpacked UPX file, we confirmed that the file is a Golang binary. The unique build ID of the Go compiled binary is shown below.

Figure 5 Go Build ID
Figure 5 – Go Build ID

Upon executing the malware file, it attempts to identify if the file is running in a WINE environment by checking the wine_get_version()  function via the theGetProcAddress() API.

Figure 6 Anti analysis Technique
Figure 6 – Anti-analysis Technique

Then, the malware creates a new folder with a random name at the %homepath% location, as shown in Figure7. The malware will use this newly created random folder to store stolen information such as passwords, crypto wallets, etc.

Figure 7 – Random folder created by the Stealer
Figure 7 – Random folder created by the Stealer

After this, the stealer starts extracting crypto wallet information by querying and reading files from the below-mentioned directories and saves them under a subfolder named Wallets,” which is created inside the random folder in the %homepath% location.

Below is the list of crypto wallets accessed by the stealer:

  • “AppDataRoaming/Zcash/”
  • “AppDataRoaming/Armory/”
  • “AppDataRoaming/bytecoin/”
  • “AppDataRoamingcom.liberty.jaxxIndexedDBfile__0.indexeddb.leveldb”
  • “AppDataRoamingEthereumkeystore”
  • “AppDataRoamingElectrumwallets”
  • “AppDataRoamingatomicLocal Storageleveldb”
  • “AppDataRoamingGuardaLocal Storageleveldb”
  • “AppDataRoamingCoinomiCoinomiwallets”
  • AppDataRoamingExodusLocal Storageleveldb

The below figure shows that the malware accesses one of the crypto wallets named Ethereumto extract wallet information.

Figure 8 – Accessing Ethereum Crypto wallet
Figure 8 – Accessing Ethereum Crypto-wallet

After extracting the cryptocurrency wallet details, the malware queries installed browser directories in the victim’s machine and searches for the below browser-related files stored in the “SQLite format 3”:

  • Cookies
  • Passwords
  • History
  • Autofill
  • Shortcuts
  • Bookmarks

After identifying the files, the malware creates new subfolders with the browser name under the previously created random folder (Refer to Figure 7) and stores the stolen files, as shown below.

Figure 9 – Newly created files from the Chrome browser directory to a random folder
Figure 9 – Newly created files from the Chrome browser directory to a random folder

Additionally, if the Telegram and Steam applications are installed on the victim’s machine, the stealer searches the config files and other session data files and stores them under “Telegram” and “Steam” folders, respectively.

The below image shows the malware accessing the Telegram Desktop directory to extract the config file details.

Figure 10 – Accessing Telegrams config information
Figure 10 – Accessing Telegram’s config information

Then, the stealer grabs all text files from the “Desktop” folder and stores them under the Grab Filesfolder. It also takes a screenshot of the victim’s machine using the BitBlt() API function from the Gdi32.dll library and saves it with the name “WebStealer.png.”

The API function used by the stealer to take a screenshot of the victim’s machine is shown below.

Figure 11 BitBlt API to take Screenshot
Figure 11 – BitBlt() API to take Screenshot

The malware then starts processing the “SQLite format 3” browser-related files, extracts sensitive information, and stores it in a text file, as shown in Figure 12.

The malware specifically extracts the passwords from all browsers’ “Password” files and saves them to a new file, Passwords.txt.”

The figure below shows how the stealer extracts the victim’s browser history from the SQLite format 3 file.

Figure 12 – Extracted Victims Browser History
Figure 12 – Extracted Victims’ Browser History

After collecting all the information, the stealer creates a ZIP archive out of the stolen files for exfiltration.

Initially, it converts the zip archive into Base64 format and then adds the below header information before the Base64-encoded text.

PassworldX No.of passwords collected
chatID Chat ID
coockiesX No.of cookies collected
Grabfiles Status of files grabbed (Yes or No)
Tgstat Status of Telegram data collected (Yes or No)
Wallets Status of crypto wallet data collected (Yes or No)
Zipx Base64 text of ZIP file which contains stolen data

Then, the stealer sends the Base64-encoded ZIP file along with the count and status of the stolen data to the below URL:

  • hxxp[:]//webStealer[.]ru/gate[.]php.

The below figure shows the code snippet used by the stealer for sending the stolen information to its C&C server (shown above).

Figure 13 – Code snippet of CC connection
Figure 13 – Code snippet of C&C connection

The below figure shows the network communication of the malware’s data exfiltration.

Figure 14 – Data
Figure 14 – Data Exfiltration

After exfiltration, the stealer deletes all the collected files from the folder previously created by the malware using the DeleteFileW() API function, as shown below.

Figure 15 Deleting stolen files
Figure 15 – Deleting stolen files

Conclusion

Loli Stealer is a relatively recent Infostealer strain. Though there are well-known and highly-used stealers in cybercrime marketplaces, TAs often choose to adopt new toolkits that help them update their Tactics, Techniques, and Procedures. Info Stealers are a growing concern as they assist TAs in gaining initial access, which can help them compromise corporate networks.

Cyble has observed several data breaches in high-profile organizations due to TAs gaining initial access through such malware. Organizations and individuals should thus continue to follow industry-standard cybersecurity practices to secure themselves and their firms.

Our Recommendations

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Execution T1204 User Execution
2Defense Evasion T1497
T1027		 Virtualization/Sandbox Evasion
Software Packing
Discovery T1518
T1082		 File and Directory Discovery
System Information Discovery
Credential Access T1552 Credentials In Files
Collection T1005
T1560
T1113		 Data from Local System
Archive Collected Data
Screen Capture
CNC T1071 Application Layer Protocol

Indicator Of Compromise (IOCs)

Indicators Indicator
Type		 Description
09e7df1b7af441df97311eb490cf6253
71542eba588e5500118a46e6918f6b19f9e69b66
595142ac0ecaf32e5cd9a477f440bac99b52dcc6c2fa083424d5007fdf0caeec		 MD5
SHA1
Sha256		 DsMicrosoft_Launcher.exe
hxxp[:]//webStealer[.]ru/gate[.]php URL C&C

Source: https://blog.cyble.com/2022/08/03/loli-stealer-golang-based-infostealer-spotted-in-the-wild/

Tags: MOBILE, EXFILTRATION, EMAIL, VIRUS, DLP, PASSWORD, INITIAL ACCESS, BROWSER