Fabricated Microsoft Crypto Wallet Phishing Site Spreads Infostealer

Luca Stealer Making Waves in the Cyber Threat Landscape

 

Launching new products generates excitement and eagerness among consumers, who eagerly anticipate the latest technological innovations and advancements. However, this excitement also attracts malicious intent.

Threat Actors (TAs) often take advantage of the hype surrounding new product releases to carry out their devious schemes. These cybercriminals create deceptive phishing sites that impersonate legitimate platforms, seeking to compromise users’ security and privacy. Through these fraudulent websites, TAs deliver malware payloads disguised as genuine applications, leading to potentially severe consequences for unsuspecting users.

Cyble Research and Intelligence Labs (CRIL) has recently discovered a phishing website with the URL “hxxps[:]//microsoft-en[.]com/cryptowallet/,” which is deceptively posing as the legitimate Microsoft Crypto Wallet platform. The main victims targeted by this fraudulent site are cryptocurrency enthusiasts. The site employs a clever disguise, prompting users to download an executable file that supposedly represents the official Crypto Wallet.

Unfortunately, beneath the facade of offering a cutting-edge cryptocurrency solution, this deceptive website harbors a malicious InfoStealer named “Luca Stealer.” The primary purpose of Luca Stealer is to gather sensitive information and personal data from unsuspecting users covertly.

The below figure shows the Microsoft Crypto Wallet phishing site.

Figure 1 – Phishing Site

 

Several months ago, news surfaced regarding Microsoft’s plan to develop a Crypto Wallet exclusively for its Edge browser. In light of this development, a concerning phishing site depicted in Figure 1 has come to our attention.

Although the exact motives behind the creation of this phishing site remain unclear, there are indications that a threat actor (TA) could be exploiting the news to carry out malicious attacks.

One notable detail on the phishing site is the reference to a beta version of the Crypto Wallet application. This mention further strengthens the possibility that the TA is taking advantage of Microsoft’s Crypto Wallet development to lure users into their trap. The attackers aim to deceive users into believing they are accessing an authentic platform by impersonating a legitimate source and referencing the beta version.

Analysis

 

The file downloaded from this site (SHA256:
480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1) is 64-bit executable.

The figure below shows the file details.

Figure 2 – File Details

 

Through our investigation, we identified the executable as Luca Stealer. This determination was primarily based on the existence of a significant number of identical strings present in both the suspect executable and the known Luca Stealer source code. This malware is crafted using the Rust programming language, and it initially surfaced on cybercrime forums in the year 2022.

Moreover, our earlier blog shed light on the source code for Luca Stealer, which was openly shared and made available on a cybercrime forum.

The figure provided below clearly illustrates the shared strings that were instrumental in our identification process.

Figure 3 – Common Strings

 

Luca Stealer has garnered increasing popularity within cybercrime forums due to its open-source nature and being developed in Rust. As a result, multiple TAs have joined forces to enhance its functionalities and optimize its performance.

Notably, the source code of this malware has been observed on various platforms, with GitHub and TOR being prominent hosts. This widespread distribution ensures that the code remains easily accessible to a wide range of potential TAs.

The availability of the source code on these platforms facilitates modifications and customizations, allowing TAs to create tailored versions of the malware to suit their nefarious objectives.

Figure 4 – Hosted on Different Platforms

 

During closer examination, a significant update to this stealer revealed the implementation of two noteworthy techniques – Clipper and AntiVM.

The introduction of Clippers marked a concerning development as it enables TAs to intercept and manipulate cryptocurrency addresses during transactions. Through this malicious maneuver, funds intended for one recipient are diverted to the attacker’s wallet instead, resulting in significant financial losses for the victim.

What sets this Clipper apart is its versatility. While its primary focus is cryptocurrency theft, it does not limit its targets to only cryptocurrencies. Instead, it also extends its reach to target IBANs (International Bank Account Numbers). By doing so, the Clipper expands its potential victims to include those engaged in traditional banking transactions, amplifying the risks for a broader range of users.

The scope of the Clipper’s cryptocurrency targets is extensive, comprising popular cryptocurrencies such as XMR, BNB, TRX, ETH, BTC, DOGE, BCH, LTC, DASH, XRP, ADA, TON, NEO, ETC, SOL, ZEC, ALGO, and XLM. By focusing on these high-value cryptocurrencies, the attackers aim to maximize their illicit gains and capitalize on the widespread usage and investment in these digital assets.

AntiVM is a defense evasion technique using which TAs can prevent the execution of malware in a virtualized environment. We have observed an additional AntiVM technique in this stealer, which sets it apart from the older binary version.

This variant of Luca stealer now checks the system temperature using a WMI query, specifically using the command “SELECT * FROM MSAcpi_ThermalZoneTemperature”.

Most virtual machines return an error when executing the query “SELECT * FROM MSAcpi_ThermalZoneTemperature.” As a result, the malware uses this strategy to skip the execution in virtualized environments. This behavior assumes that the absence of valid temperature data or the occurrence of errors indicates that the system is running in a virtualized environment. As a result, the malware tries to remain undetected and evades potential security measures that could be triggered in virtual machine setups.

This technique has been employed in the past by malware strains such as GravityRAT.

The figure below illustrates the WMI query used by the stealer.

Figure 5 – WMI Query

 

This stealer targets the following cold crypto wallets:

AtomicWallet Exodus JaxxWallet
Electrum ByteCoin  

This stealer variant targets the following browsers.

Edge Chedot (Chedot) Elements Browser Torch Opera
Chromium Chrome Canary Epic Privacy Browser UC Browser Opera Stable
7star Chrome SxS Chrome Uran Opera GX
Amigo Google Chrome Kometa CozMedia ChromePlus
Brave CocCoc Browser Orbitum Vivaldi Mapple Studio
CentBrowser Dragon (Comodo Dragon) Sputnik Atom Iridium
Sleipnir 5 Citrio WooGamble Qip Surf 360browser

Following the stealer targets Browser extensions.

EOS Authenticator Norton Password Manager Sollet Leaf Wallet
Bitwarden Avira Password Manaager ICONex Cyano Wallet
KeePassXC Trezor Password Manager KHC Cyano Wallet Pro
Dashlane MetaMask TezBox Nabox Wallet
1Password TronLink Byone Polymesh Wallet
NordPass BinanceChain OneKey Nifty Wallet
Keeper Coin98 DAppPlay Liquality Wallet
RoboForm iWallet BitClip Math Wallet
LastPass Wombat Steem Keychain Coinbase Wallet
BrowserPass MEW CX Nash Extension Clover Wallet
MYKI NeoLine Hycon Lite Client Yoroi
Splikity Terra Station ZilPay Guarda
CommonKey Keplr Sollet EQUAL Wallet
Zoho Vault Norton Password Manager ICONex BitApp Wallet

To fetch the IP of infected system, this stealer makes a GET request to hxxps://myip[.]ch. The figure below shows the network activity.

Figure 6 – GET Request

 

Once it gathers the targeted information, it compresses the data to streamline its transfer process. To send the stolen data discreetly, the malware leverages a telegram bot, utilizing the Telegram messaging platform as a covert communication channel. Furthermore, it sends chat messages containing statistical information about the stolen data. Although straightforward, this functionality provides the attacker with real-time updates on the quantity and nature of the compromised data.

Conclusion

 

Luca Stealer shares several key characteristics typical of InfoStealers, but what sets it apart is its specialized emphasis on targeting data associated with cryptocurrency wallets and password management software. This refined focus highlights the malicious intent to exploit the growing popularity and value of cryptocurrencies, as well as the potential for acquiring sensitive login credentials.

The fact that Luca Stealer’s source code is open source further compounds the concern. As more TAs gain access to the codebase, the potential for customization and adaptation of the malware increases significantly. This accessibility allows cybercriminals to create unique variants and modify the behavior of Luca Stealer to suit their specific objectives. Consequently, we can expect a continuous surge in the number of stealer binaries targeting users.

Our Recommendations

 

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:  

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc.,  typically contains such malware.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

 

Tactic  Technique ID  Technique Name 
Initial Access T1566  Phishing 
Execution   T1204  User Execution 
Defense Evasion T1497 Virtualization/Sandbox Evasion
Credential Access T1555 
T1539 
T1552 
Credentials from Password Stores 
Steal Web Session Cookie 
Unsecured Credentials 
Collection T1113  Screen Capture 
Discovery T1087 
T1518 
T1057 
T1124 
T1007 
T1614 
T1120 
Account Discovery 
Software Discovery 
Process Discovery 
System Time Discovery 
System Service Discovery 
System Location Discovery 
Peripheral Device Discovery 
Command and Control T1571 
T1095 
Non-Standard Port 
Non-Application Layer Protocol 
Exfiltration T1041  Exfiltration Over C2 Channel   

Indicators of Compromise (IoCs):

 

Indicators  Indicator type  Description 
hxxps[:]//microsoft-en[.]com/cryptowallet/cryptowalletinstaller[.]exe hxxps[:]//microsoft-en[.]com/cryptowallet/ URL  Phishing Site 
2753fea9125455e452e1951295158bc5 4238700742f6540119fc40f8f001fa1b5da99425     480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1 MD5
SHA1 SHA256
Luca Stealer

 

Scroll to Top