Cyble – Luca Stealer Source Code Leaked On A Cybercrime Forum

Rust-based Malware Targeting Crypto Users

During a routine threat-hunting exercise, Cyble Research Labs discovered an unknown Rust-based stealer, which we have dubbed “Luca Stealer.” The source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022. We have already witnessed over 25 samples based on this source code present in the wild. Rust is rapidly becoming one of malware developers’ most preferred programming languages because of its versatility and evasion capabilities.

The developer of the stealer appears to be new on the cybercrime forum and likely leaked the source code of the stealer to build a reputation for themselves. The developer has also provided the steps to modify the stealer and compile the source code for ease of use. The stealer has been updated thrice, and the malware developer is continuously adding multiple functionalities at the time of our analysis.

The stealer can target multiple Chromium-based browsers, chat applications, crypto wallets, and gaming applications and has the added functionality of stealing victims’ files. After making multiple updates to the source code of the stealer on the cybercrime forum, the developer recently released the source code on GitHub, which can lead to wider usage and adoption of the stealer. Figure 1 shows the post made by the developer on a cybercrime forum.

Figure 1 – Developers Post on Cybercrime Forum
Figure 1 – Developer’s Post on Cybercrime Forum

Initially, the stealer was designed to exfiltrate stolen data using a Telegram bot. However, due to the limitation of only being able to upload data in sizes up to 50 MB, compatibility with Discord webhooks was added to the stealer.

We witnessed that multiple Threat Actors (TAs) might have contributed to this stealer’s development, as shown below.

Figure 2 Contribution from other TAs
Figure 2 – Contribution from other TAs

The figure below shows Luca Stealer’s Features.

Figure 3 Luca Stealer Features
Figure 3 – Luca Stealer Features

The figure below shows a Log file shared by a TA on a cybercrime forum indicating that multiple TAs have already started using this stealer.

Figure 4 Stealer Logs Shared by the TA
Figure 4 – Stealer Logs Shared by the TA

Source Code Analysis

Functionality

Using the environment variable %localappdata%, the stealer identifies the path of the LocalAppData folder. Before initiating stealing activities, it checks if the “logsxc” folder is present in the AppData directory to prevent multiple executions. If this folder is not present, the stealer creates one with hidden attributes for saving stolen data.

The Luca stealer uses my_internet_ip, a Rust crate, to identify the victim’s public IP address and the ipgeolocate library to identify the victim’s geolocation.

Figure 5 – Identifying the victims Public IP
Figure 5 – Identifying the victim’s Public IP

The stealer then uses the screenshots library to grab a screenshot of the victim’s system and saves that as a .png file for exfiltration. The figure below shows the screenshot library used by the malware.

Figure 6 Grabbing Screenshot
Figure 6 – Grabbing Screenshot

For stealing the system details, the stealer uses the whoami library. The figure below shows the implementation of the whoami library in the stealer.

Figure 7 Using whoami Library
Figure 7 – Using whoami Library

The table below shows a few function names available in the whoami library used by the stealer to fetch the victim systems’ details. The stealer fetches the below system information along with IP and geolocation and saves it to a file named “info.txt.”

Function Description
desktop_env Get the desktop environment.
devicename         Get the device name (also known as “Pretty Name”), used to identify the device for BlueTooth pairing.
distro_os              Get the name of the operating system distribution and (possibly) version.
hostname          Get the host device’s hostname.
username          Get the user’s username.
Language Get the user’s preferred language(s).

The stealer then creates a file named “system_info.txt” for storing the victim’s data, such as:

  • Network interface name and their data transmission rate.
  • The number of CPUs and memory segregated into the following components:
    • total memory
    • used memory
    • total swap 
  • List of running processes 
Figure 8 Fetching System Info
Figure 8 – Fetching System Info

The Luca Stealer targets over 30 Chromium-based browsers. The figure below displays the list of browsers targeted by the stealer. It steals Login Credentials, Credit Cards, and Cookies from browsers and saves them to a text file for exfiltration. To decrypt browser data, the stealer leverages the Dpapi.CryptUnprotectData() function.

Figure 9 Targeted Chromium Browsers
Figure 9 – Targeted Chromium Browsers

The stealer targets 10 cold crypto wallets, as shown in Figure 10. The TA has mentioned the hardcoded path of the wallets in the source code, from where the stealer is grabbing the wallets for exfiltration.

Figure 10 Targeting Cold Crypto Wallets
Figure 10 – Targeting Cold Crypto Wallets

The stealer also targets browser extensions of password managers and crypto wallets for over 20 browsers. Every browser extension has a unique ID, which can be used to search for the required extensions in the browser’s folder in the “AppData” directory. The stealer grabs extensions mentioned in the figure below if they are present in the victim’s system.

Figure 11 Targeting Browser Add ons
Figure 11 – Targeting Browser Add-ons

Luca stealer also targets the Steam, Uplay, and Telegram applications. It initially checks if these applications are present on the victim’s system and then grabs data from the following folders:

  • AppDataRoaming Ubisoft Game Launcher
  • AppDataRoamingTelegram Desktoptdata
  • Program Files (x86) team
Figure 12 Grabbing Session Tokens
Figure 12 – Grabbing Session Tokens

The stealer also targets four messenger applications: Discord, ICQ, Element, and Skype.

To steal Discord tokens, the malware targets the following directories:

  • DiscordLocal Storageleveldb
  • Discord PTBLocal Storageleveldb
  • Discord Canaryleveldb

It uses regex to find the Discord tokens in the log files and saves them to a file named “discord_tokens.txt.” The malware grabs the file present in “ElementLocal Storageleveldb” for stealing Element’s session and saves them under a folder named Element.

The stealer then grabs the ICQChat files from “AppDataRoaming ICQ001 “and saves them under a folder named “ICQ.”

For stealing sessions from Skype, the malware grabs files from AppDataRoamingMicrosoftSkypeDesktopLocal Storage and saves them under a Skype folder.

The stealer creates a compressed file named “out.zip” in the AppDataLocalTemp directory. This compressed file is created out of the folder used to save the stolen data. Then, it exfiltrates this data using Discord Webhooks or a Telegram Bot as specified by the TA. The stealer also sends the summary of stolen data as a chat message, such as the Count of passwords, IP address, OS details, etc. The figure below shows the format of the chat message.

Figure 13 Sending Summary via Chat Message
Figure 13 – Sending Summary via Chat Message

Conclusion

At the time of publishing this analysis, Luca stealer can only currently target Windows-based Operating Systems (OS). Though the stealer is coded in Rust, a cross-platform programming language, the TA has used environment variables restricted to Windows OS to identify the path to certain directories.

In the future, we might witness more capabilities added to this stealer; for example, the TA might also be working on adding a clipping functionality to the stealer. As the stealer is written in Rust and is released for free, we can expect it to be adopted by multiple Threat Actors across the world.

Our Recommendations

  • Avoid downloading files from untrusted sources. 
  • Clear browsing history and reset passwords at regular intervals.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.  
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems.  

  MITRE ATT&CK® Techniques   

Tactic   Technique ID   Technique Name  
Execution    T1204   User Execution  
Credential Access   T1555  
T1539  
T1552  
T1528  
Credentials from Password Stores  
Steal Web Session Cookies 
Unsecured Credentials
Steal Application Access Token  
Collection   T1113   Screen Capture  
Discovery   T1518 
T1124 
T1007  
Software Discovery 
System Time Discovery
System Service Discovery  
Command and Control   T1071   Application Layer Protocol  
Exfiltration   T1020    Automated Exfiltration

  Indicators of Compromise (IoCs):    

Indicators   Indicator type   Description  
60a9f28b0fb727587b7b8fd326a86685
b0dbef65d1c3575f0e4fe6c466a952deeed804a1
2e9a2e5098bf7140b2279fb2825ea77af576f36a93f36cad7938f4588d234d3a  
Md5
SHA-1
SHA-256  
Stealer Payload  
5deb33f73ddf3ce8592207a1017b39cd
08042ae79e699583602ae7a55d7e2b3d945921d2
4029583855e92b84363f6609bd578bd1b4bafb3aae479f0dbf4da2e15ce569f2
Md5
SHA-1
SHA-256  
Stealer Payload  
7491f5a975f3b6f71beb4ae5d6d1e2db
e14a5d6a959ff1aa4bde3ff3b6ca9b36929afabc
99331a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022
Md5
SHA-1
SHA-256  
Stealer Payload  
d54bc7736523279da8b58b561df85278
7088f6ff79b3be4640f2663f3238fd1db7dcaf4e
38f1800a2d870841093394535cae3690b51ae08a954e9e9b2a0bc86de4a8e338  
Md5
SHA-1
SHA-256  
Stealer Payload  

  

Source: https://blog.cyble.com/2022/07/25/luca-stealer-source-code-leaked-on-a-cybercrime-forum/