Rust-based Malware Targeting Crypto Users
During a routine threat-hunting exercise, Cyble Research Labs discovered an unknown Rust-based stealer, which we have dubbed “Luca Stealer.” The source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022. We have already witnessed over 25 samples based on this source code present in the wild. Rust is rapidly becoming one of malware developers’ most preferred programming languages because of its versatility and evasion capabilities.
The developer of the stealer appears to be new on the cybercrime forum and likely leaked the source code of the stealer to build a reputation for themselves. The developer has also provided the steps to modify the stealer and compile the source code for ease of use. The stealer has been updated thrice, and the malware developer is continuously adding multiple functionalities at the time of our analysis.
The stealer can target multiple Chromium-based browsers, chat applications, crypto wallets, and gaming applications and has the added functionality of stealing victims’ files. After making multiple updates to the source code of the stealer on the cybercrime forum, the developer recently released the source code on GitHub, which can lead to wider usage and adoption of the stealer. Figure 1 shows the post made by the developer on a cybercrime forum.
Initially, the stealer was designed to exfiltrate stolen data using a Telegram bot. However, due to the limitation of only being able to upload data in sizes up to 50 MB, compatibility with Discord webhooks was added to the stealer.
We witnessed that multiple Threat Actors (TAs) might have contributed to this stealer’s development, as shown below.
The figure below shows Luca Stealer’s Features.
The figure below shows a Log file shared by a TA on a cybercrime forum indicating that multiple TAs have already started using this stealer.
Source Code Analysis
Functionality
Using the environment variable %localappdata%, the stealer identifies the path of the Local\AppData folder. Before initiating stealing activities, it checks if the “logsxc” folder is present in the AppData directory to prevent multiple executions. If this folder is not present, the stealer creates one with hidden attributes for saving stolen data.
The Luca stealer uses my_internet_ip, a Rust crate, to identify the victim’s public IP address and the ipgeolocate library to identify the victim’s geolocation.
The stealer then uses the screenshots library to grab a screenshot of the victim’s system and saves that as a .png file for exfiltration. The figure below shows the screenshot library used by the malware.
For stealing the system details, the stealer uses the whoami library. The figure below shows the implementation of the whoami library in the stealer.
The table below shows a few function names available in the whoami library used by the stealer to fetch the victim systems’ details. The stealer fetches the below system information along with IP and geolocation and saves it to a file named “info.txt.”
| Function | Description |
| desktop_env | Get the desktop environment. |
| devicename | Get the device name (also known as “Pretty Name”), used to identify the device for BlueTooth pairing. |
| distro_os | Get the name of the operating system distribution and (possibly) version. |
| hostname | Get the host device’s hostname. |
| username | Get the user’s username. |
| Language | Get the user’s preferred language(s). |
The stealer then creates a file named “system_info.txt” for storing the victim’s data, such as:
- Network interface name and their data transmission rate.
- The number of CPUs and memory segregated into the following components:
- total memory
- used memory
- total swap
- used swap
- List of running processes
The Luca Stealer targets over 30 Chromium-based browsers. The figure below displays the list of browsers targeted by the stealer. It steals Login Credentials, Credit Cards, and Cookies from browsers and saves them to a text file for exfiltration. To decrypt browser data, the stealer leverages the Dpapi.CryptUnprotectData() function.
The stealer targets 10 cold crypto wallets, as shown in Figure 10. The TA has mentioned the hardcoded path of the wallets in the source code, from where the stealer is grabbing the wallets for exfiltration.
The stealer also targets browser extensions of password managers and crypto wallets for over 20 browsers. Every browser extension has a unique ID, which can be used to search for the required extensions in the browser’s folder in the “AppData” directory. The stealer grabs extensions mentioned in the figure below if they are present in the victim’s system.
Luca stealer also targets the Steam, Uplay, and Telegram applications. It initially checks if these applications are present on the victim’s system and then grabs data from the following folders:
- AppData\Roaming\ Ubisoft Game Launcher
- AppData\Roaming\Telegram Desktop\tdata
- Program Files (x86)\ team
The stealer also targets four messenger applications: Discord, ICQ, Element, and Skype.
To steal Discord tokens, the malware targets the following directories:
- Discord\Local Storage\leveldb
- Discord PTB\Local Storage\leveldb
- Discord Canary\leveldb
It uses regex to find the Discord tokens in the log files and saves them to a file named “discord_tokens.txt.” The malware grabs the file present in “Element\\Local Storage\\leveldb” for stealing Element’s session and saves them under a folder named Element.
The stealer then grabs the ICQ–Chat files from “AppData\Roaming\ ICQ\0001 “and saves them under a folder named “ICQ.”
For stealing sessions from Skype, the malware grabs files from AppData\Roaming\Microsoft\Skype\Desktop\Local Storage and saves them under a Skype folder.
The stealer creates a compressed file named “out.zip” in the AppData\Local\Temp directory. This compressed file is created out of the folder used to save the stolen data. Then, it exfiltrates this data using Discord Webhooks or a Telegram Bot as specified by the TA. The stealer also sends the summary of stolen data as a chat message, such as the Count of passwords, IP address, OS details, etc. The figure below shows the format of the chat message.
Conclusion
At the time of publishing this analysis, Luca stealer can only currently target Windows-based Operating Systems (OS). Though the stealer is coded in Rust, a cross-platform programming language, the TA has used environment variables restricted to Windows OS to identify the path to certain directories.
In the future, we might witness more capabilities added to this stealer; for example, the TA might also be working on adding a clipping functionality to the stealer. As the stealer is written in Rust and is released for free, we can expect it to be adopted by multiple Threat Actors across the world.
Our Recommendations
- Avoid downloading files from untrusted sources.Â
- Clear browsing history and reset passwords at regular intervals.  Â
- Turn on the automatic software update feature on your computer, mobile, and other connected devices. Â
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. Â
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.  Â
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. Â
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez. Â
- Monitor the beacon on the network level to block data exfiltration by malware or TAs. Â
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems. Â
  MITRE ATT&CK® Techniques  Â
| Tactic  | Technique ID  | Technique Name  |
| Execution   | T1204  | User Execution  |
| Credential Access  | T1555  T1539  T1552  T1528  | Credentials from Password Stores  Steal Web Session Cookies  Unsecured Credentials Steal Application Access Token  |
| Collection  | T1113  | Screen Capture  |
| Discovery  | T1518  T1124  T1007  | Software Discovery  System Time Discovery System Service Discovery  |
| Command and Control  | T1071  | Application Layer Protocol  |
| Exfiltration  | T1020 | Automated Exfiltration |
  Indicators of Compromise (IoCs):   Â
| Indicators  | Indicator type  | Description  |
| 60a9f28b0fb727587b7b8fd326a86685 b0dbef65d1c3575f0e4fe6c466a952deeed804a1 2e9a2e5098bf7140b2279fb2825ea77af576f36a93f36cad7938f4588d234d3a  | Md5 SHA-1 SHA-256  | Stealer Payload  |
| 5deb33f73ddf3ce8592207a1017b39cd 08042ae79e699583602ae7a55d7e2b3d945921d2 4029583855e92b84363f6609bd578bd1b4bafb3aae479f0dbf4da2e15ce569f2 | Md5 SHA-1 SHA-256  | Stealer Payload  |
| 7491f5a975f3b6f71beb4ae5d6d1e2db e14a5d6a959ff1aa4bde3ff3b6ca9b36929afabc 99331a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022 | Md5 SHA-1 SHA-256  | Stealer Payload  |
| d54bc7736523279da8b58b561df85278 7088f6ff79b3be4640f2663f3238fd1db7dcaf4e 38f1800a2d870841093394535cae3690b51ae08a954e9e9b2a0bc86de4a8e338  | Md5 SHA-1 SHA-256  | Stealer Payload  |
 
