A New Info Stealer Targeting over 30 Browsers
Cyble Research Labs recently encountered Lightning Stealer – a new Info Stealer variant. An info stealer is a type of malware designed specifically to steal data from the victim’s system. This type of malware has emerged as a serious threat as Threat Actors use them to get initial access to corporate networks.
Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration.
Lightning Stealer is a . NET-based Info Stealer. Figure 2 shows the file details.
Technical Analysis
The methods in Main()function of the malware binary (SHA 256: a2a3b6db773b95fa27501f081b03daf2a29bfb800b4efa397cc4fc59ff755368) – which is ultimately responsible for stealing data have been presented in a sequential manner as per to their execution. Refer to Figure 3.
The malware first calls Input.GetLogGecko method. This method will return stolen passwords, cookies, and history from Firefox-based browsers upon execution.
It initially identifies the Firefox-based browsers present in a system bypassing the respective browser’s path in the “AppData” folder to the Directory.Exists() method. If this returns as “True,” those paths will be added to a new list for stealing data. The figure below shows the Firefox-based browsers targeted by the malware.
Firefox-based browsers store user data in a Profiles folder under the “AppData\Browser_name” directory. Lightning Stealer checks this directory along with the file names mentioned below:
- key4.db: Stores the encryption keys and master password for logins.json.
- logins.json: These files store the usernames and passwords.
- places.sqlite: This file stores the user search history, downloads, and bookmarks data.
It steals the browser’s data only if the above files are present.
It first steals the data from the login.json file and looks for mozglue.dll and nss3.dll, which will be used to decrypt the “login.json” file. Figure 5 shows the credential-stealing functionality for Firefox-based browsers.
Then malware steals the cookies data from moz_cookies table in “cookies.sqlite ” file and stores the data in the following format (refer Figure 6) :
- Domain =
- Name =
- Value =
- Path =
- Expires =
- IsSecure =
Similarly, the malware steals the browser’s history from the moz_places table in the “places.sqlite” file and extracts the data in the following format:
- Url =
- Title =
- Visits =
- Time =
The figure below shows the browser’s history stealing functionality.
After stealing data from Firefox-based browsers, the malware targets Chromium-based browsers. Figure 8 shows the Chromium-based browsers targeted by the Lightning stealer.
The sensitive user data, such as login credentials and cookies, stored in Chrome-based browsers are present in an encrypted form. The malware enumerates and gets the name of all files present in the “Browser-name\User Data\” folder and checks for the “Local State” file, which stores the encrypted keys used by Chrome to decrypt the login data.
If this file is present, the malware uses the DPAPI()functionto decrypt the encryption keys in the “Local State” file by calling Dpapi.CryptUnprotectData() function as can be seen in figure below.
Chromium browsers store the login data in the “Login Data” file, a .SQLite file. The malware steals the data from the logins table present in this file and extracts the data in the following format:
- Domain =
- Login =
- Password =
Then malware steals cookies from cookies table present “Cookies” file and stores the data in following format:
- Domain =
- Name =
- Path =
- Expires =
- IsSecure = isSecure,
- Value = value
In a similar manner, the malware steals the data from the following “.sqlite” files:
- credit cards data from the logins table in the “Login Data” file.
Filter Data in the format:
Number =
Year =
Month =
Name =
- Search history from the URLs table in the “History” file.
Filter Data in format:
Url =
Title =
Visits =
Time =
- Autofill data from autofill table in “Web data” file.
Filter Data in format:
Name =
Value =
This stealer has the capability to steal data from crypto wallets present in the victim’s system. The wallets targeted by the stealer can be seen in the figure below. The malware targets the wallet files specific to the crypto applications mentioned in Figure 13. The malware then converts the wallet file’s content into Base64 and saves them into a list.
The malware then proceeds to steal the victim’s system info. Figure 14 shows the system info gathered by malware.
This malware also steals the .txt and .doc files present in the “Desktop” of the victim’s system. The malware reads the content of the file and encodes it using Base64. Then it saves the encoded data and file names on a list.
After this, the malware checks for the “Telegram Desktop\tdata” file in the ApplicationData folder. Instead of copying the file to a different directory for exfiltration, it loads its content in memory, encodes it, and saves it to a list.
The Lightning stealer steals the Discord token from the following directory:
“discord\\Local Storage\\leveldb”
It retrieves a list of all files present in this directory and then starts stealing data from them.
The malware steals data from Steam, a video game digital distribution service. The stealer identifies the Steam installation path by checking the registry key value at “HKEY_LOCAL_MACHINE\Software\Valve\Steam.”
The malware steals data from all the files present under the “config” folder.
After this, the malware takes a screenshot of the victim’s screen and saves it in the “AppData\Roaming\” folder named “1.png”. Then, it converts the screenshot into Base64 encoded strings and saves it to a list.
The malware stores all the stolen data in the lists shown in the figure below.
Then it creates a file named “444.txt” in the “AppData\Roaming\” folder. Before writing content to this file, it converts the stolen data into JSON strings using JsonSerializer.Serialize() method.
After this, the malware exfiltrates the data to the following domain:
hxxp[:]//panelss[.]xyz/Stealer/TSave
The body of the request is sent in JSON format, as can be seen in the figure below.
Conclusion
Info Stealers are adopting new techniques to become more evasive. As the information stolen by such malware is sensitive, organizations should follow good security practices. In the past, Cyble Research Labs has observed data breaches of large organizations because of such threats. We have also witnessed ransomware groups leveraging Info Stealers to gain initial network access and, eventually, exfiltrating sensitive data. Lightning Stealer is an emerging Info Stealer, and we may see variants of it emerge in the future.
Recommendations
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Credential Access | T1555 T1539 T1552 T1528 | Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials Steal Application Access Token |
| Collection | T1113 | Screen Capture |
| Discovery | T1518 T1124 T1007 | Software Discovery System Time Discovery System Service Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| hxxps[:]//panelss[.]xyz | URL | C2 URL |
| 1b922b6d15085da82e20fee0789a6617 231a8e1a06d1673c8922d149af9d8f156dcbe228 a2a3b6db773b95fa27501f081b03daf2a29bfb800b4efa397cc4fc59ff755368 | Md5 SHA-1 SHA-256 | Stealer Payload |
| 473781fe7d820ef805d1aa79ace86816 b7a42714b4e5dd7cfb6a2c8d7eb30d8bcce9a7ba 6e016bcbead2dddb80dd4a592b1f3c042c52dc8a26ee37e0943f1a8c433e4c5f | Md5 SHA-1 SHA-256 | Stealer Payload |
Comments are closed.