Luca Stealer Making Waves in the Cyber Threat Landscape
Launching new products generates excitement and eagerness among consumers, who eagerly anticipate the latest technological innovations and advancements. However, this excitement also attracts malicious intent.
Threat Actors (TAs) often take advantage of the hype surrounding new product releases to carry out their devious schemes. These cybercriminals create deceptive phishing sites that impersonate legitimate platforms, seeking to compromise users’ security and privacy. Through these fraudulent websites, TAs deliver malware payloads disguised as genuine applications, leading to potentially severe consequences for unsuspecting users.
Cyble Research and Intelligence Labs (CRIL) has recently discovered a phishing website with the URL “hxxps[:]//microsoft-en[.]com/cryptowallet/,” which is deceptively posing as the legitimate Microsoft Crypto Wallet platform. The main victims targeted by this fraudulent site are cryptocurrency enthusiasts. The site employs a clever disguise, prompting users to download an executable file that supposedly represents the official Crypto Wallet.
Unfortunately, beneath the facade of offering a cutting-edge cryptocurrency solution, this deceptive website harbors a malicious InfoStealer named “Luca Stealer.” The primary purpose of Luca Stealer is to gather sensitive information and personal data from unsuspecting users covertly.
The below figure shows the Microsoft Crypto Wallet phishing site.
Several months ago, news surfaced regarding Microsoft’s plan to develop a Crypto Wallet exclusively for its Edge browser. In light of this development, a concerning phishing site depicted in Figure 1 has come to our attention.
Although the exact motives behind the creation of this phishing site remain unclear, there are indications that a threat actor (TA) could be exploiting the news to carry out malicious attacks.
One notable detail on the phishing site is the reference to a beta version of the Crypto Wallet application. This mention further strengthens the possibility that the TA is taking advantage of Microsoft’s Crypto Wallet development to lure users into their trap. The attackers aim to deceive users into believing they are accessing an authentic platform by impersonating a legitimate source and referencing the beta version.
Analysis
The file downloaded from this site (SHA256:
480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1) is 64-bit executable.
The figure below shows the file details.
Through our investigation, we identified the executable as Luca Stealer. This determination was primarily based on the existence of a significant number of identical strings present in both the suspect executable and the known Luca Stealer source code. This malware is crafted using the Rust programming language, and it initially surfaced on cybercrime forums in the year 2022.
Moreover, our earlier blog shed light on the source code for Luca Stealer, which was openly shared and made available on a cybercrime forum.
The figure provided below clearly illustrates the shared strings that were instrumental in our identification process.
Luca Stealer has garnered increasing popularity within cybercrime forums due to its open-source nature and being developed in Rust. As a result, multiple TAs have joined forces to enhance its functionalities and optimize its performance.
Notably, the source code of this malware has been observed on various platforms, with GitHub and TOR being prominent hosts. This widespread distribution ensures that the code remains easily accessible to a wide range of potential TAs.
The availability of the source code on these platforms facilitates modifications and customizations, allowing TAs to create tailored versions of the malware to suit their nefarious objectives.
During closer examination, a significant update to this stealer revealed the implementation of two noteworthy techniques – Clipper and AntiVM.
The introduction of Clippers marked a concerning development as it enables TAs to intercept and manipulate cryptocurrency addresses during transactions. Through this malicious maneuver, funds intended for one recipient are diverted to the attacker’s wallet instead, resulting in significant financial losses for the victim.
What sets this Clipper apart is its versatility. While its primary focus is cryptocurrency theft, it does not limit its targets to only cryptocurrencies. Instead, it also extends its reach to target IBANs (International Bank Account Numbers). By doing so, the Clipper expands its potential victims to include those engaged in traditional banking transactions, amplifying the risks for a broader range of users.
The scope of the Clipper’s cryptocurrency targets is extensive, comprising popular cryptocurrencies such as XMR, BNB, TRX, ETH, BTC, DOGE, BCH, LTC, DASH, XRP, ADA, TON, NEO, ETC, SOL, ZEC, ALGO, and XLM. By focusing on these high-value cryptocurrencies, the attackers aim to maximize their illicit gains and capitalize on the widespread usage and investment in these digital assets.
AntiVM is a defense evasion technique using which TAs can prevent the execution of malware in a virtualized environment. We have observed an additional AntiVM technique in this stealer, which sets it apart from the older binary version.
This variant of Luca stealer now checks the system temperature using a WMI query, specifically using the command “SELECT * FROM MSAcpi_ThermalZoneTemperature”.
Most virtual machines return an error when executing the query “SELECT * FROM MSAcpi_ThermalZoneTemperature.” As a result, the malware uses this strategy to skip the execution in virtualized environments. This behavior assumes that the absence of valid temperature data or the occurrence of errors indicates that the system is running in a virtualized environment. As a result, the malware tries to remain undetected and evades potential security measures that could be triggered in virtual machine setups.
This technique has been employed in the past by malware strains such as GravityRAT.
The figure below illustrates the WMI query used by the stealer.
This stealer targets the following cold crypto wallets:
| AtomicWallet | Exodus | JaxxWallet |
| Electrum | ByteCoin |
This stealer variant targets the following browsers.
| Edge | Chedot (Chedot) | Elements Browser | Torch | Opera |
| Chromium | Chrome Canary | Epic Privacy Browser | UC Browser | Opera Stable |
| 7star | Chrome SxS | Chrome | Uran | Opera GX |
| Amigo | Google Chrome | Kometa | CozMedia | ChromePlus |
| Brave | CocCoc Browser | Orbitum | Vivaldi | Mapple Studio |
| CentBrowser | Dragon (Comodo Dragon) | Sputnik | Atom | Iridium |
| Sleipnir 5 | Citrio | WooGamble | Qip Surf | 360browser |
Following the stealer targets Browser extensions.
| EOS Authenticator | Norton Password Manager | Sollet | Leaf Wallet |
| Bitwarden | Avira Password Manaager | ICONex | Cyano Wallet |
| KeePassXC | Trezor Password Manager | KHC | Cyano Wallet Pro |
| Dashlane | MetaMask | TezBox | Nabox Wallet |
| 1Password | TronLink | Byone | Polymesh Wallet |
| NordPass | BinanceChain | OneKey | Nifty Wallet |
| Keeper | Coin98 | DAppPlay | Liquality Wallet |
| RoboForm | iWallet | BitClip | Math Wallet |
| LastPass | Wombat | Steem Keychain | Coinbase Wallet |
| BrowserPass | MEW CX | Nash Extension | Clover Wallet |
| MYKI | NeoLine | Hycon Lite Client | Yoroi |
| Splikity | Terra Station | ZilPay | Guarda |
| CommonKey | Keplr | Sollet | EQUAL Wallet |
| Zoho Vault | Norton Password Manager | ICONex | BitApp Wallet |
To fetch the IP of infected system, this stealer makes a GET request to hxxps://myip[.]ch. The figure below shows the network activity.
Once it gathers the targeted information, it compresses the data to streamline its transfer process. To send the stolen data discreetly, the malware leverages a telegram bot, utilizing the Telegram messaging platform as a covert communication channel. Furthermore, it sends chat messages containing statistical information about the stolen data. Although straightforward, this functionality provides the attacker with real-time updates on the quantity and nature of the compromised data.
Conclusion
Luca Stealer shares several key characteristics typical of InfoStealers, but what sets it apart is its specialized emphasis on targeting data associated with cryptocurrency wallets and password management software. This refined focus highlights the malicious intent to exploit the growing popularity and value of cryptocurrencies, as well as the potential for acquiring sensitive login credentials.
The fact that Luca Stealer’s source code is open source further compounds the concern. As more TAs gain access to the codebase, the potential for customization and adaptation of the malware increases significantly. This accessibility allows cybercriminals to create unique variants and modify the behavior of Luca Stealer to suit their specific objectives. Consequently, we can expect a continuous surge in the number of stealer binaries targeting users.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., typically contains such malware. - Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
T1539 T1552 | Steal Web Session Cookie Unsecured Credentials | |
Software Discovery | ||
T1095 | Non-Application Layer Protocol | |
Indicators of Compromise (IoCs):
| 2753fea9125455e452e1951295158bc5 4238700742f6540119fc40f8f001fa1b5da99425 480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1 | SHA1 SHA256 |
