Microsoft Crypto Wallet Scam Spreads Luca Stealer

Not so long ago, news broke on the internet that Microsoft is working on creating a crypto wallet for its Edge browser. This news is sure to interest cryptocurrency users. But you know who else is interested in it? That’s right, cybercriminals. The resourceful guys immediately figured out what was happening and created a website that looked as much like Microsoft’s legitimate site as possible. Cybersecurity researchers came across this website and analyzed it. Unlike third-rate phishing sites, this one had a convincing appearance, a web address of hxxps[:]//microsoft-en[.]com/cryptowallet/, SSL certificates, and allknown logic. The website offers the user to download a beta version of the crypto wallet. However, instead of the claimed one, the user received malware.

Luca Stealer Analysis

In this case, the scammers are distributing Luca Stealer. Specialists identified it due to similarities in the malware code found and the Luca Stealer. However, Luca is open source, which users can find on platforms like GitHub or TOR. It is a relatively new stealer, written in Rust and first spotted in 2022. Its job is to collect valuable data such as crypto wallet details and other personal information. The following are the browsers, crypto wallets, and extensions this malware attacks.

Web browsers

Browser extensions

Crypto wallets

• AtomicWallet
• ByteCoin
• Electrum
• Exodus
• JaxxWallet

In addition to cryptocurrency, malware is interested in banking data such as IBANs. This creates additional risks for those involved in banking transactions.

Data Exfiltration

Once the data is collected, Luca Stealer begins compressing the data for easier transmission. The malware uses the Telegram messaging platform as a covert communication channel. Using a Telegram bot, it discreetly sends stolen data and some statistical information about the stolen data to the operator. It also sends messages to the chat room.

Why Luca Stealer?

Since the source code of Luca Stealer was leaked to the public, attackers can modify it, optimize it and add new functionality. After a more detailed analysis, experts discovered an unusual AntiVM method. Luca Stealer checks the system temperature before starting to execute. Since virtual machines usually generate an error when such a request is made, the malware can understand whether it is on the virtual machine or on a live system. Though, this trick is just about making the analysis longer rather than impossible. It is not hard to make the VM respond properly to the request, returning realistic and consistent temperatures.

Safety recommendations

To avoid unpleasant consequences, we recommend that you follow the following tips:

• Be careful with downloads from the Internet. Download software only from official and reliable sources. If you have any doubts about the authenticity of a website, go to a trustworthy website and make sure that the site you are interested in is genuine.
• Update your software. Sometimes OS updates can be inconvenient. However, this is an essential part as updates contain security patches. To address known vulnerabilities, constantly update your operating system and other software, including browsers.
• Be careful with email messages. According to statistics, email phishing is one of the most effective methods of spreading malware. Do not open suspicious attachments or links in emails from unknown senders.
• Install reliable antivirus software. Use quality anti-malware software and update it regularly to stay protected from the latest threats.
• Educate yourself and stay informed. Unfortunately, in this eternal arms race, cybercriminals are leading. This allows them to create new threats, picking the least predictable forms each time. In turn, cybersecurity experts create effective solutions against them. Study up-to-date threats and deception techniques to be more aware and adapt your actions.

The post Luca Stealer Spreads Via a Phishing Microsoft Crypto Wallet Site appeared first on Gridinsoft Blog.

Luca Stealer functionality

As analysts from Cyble state in their report, the set of functions Luca malware offers is similar to the ones available in other stealers. It can successfully break into all Chromium-based web browsers, and deliver different types of information to the hacker. In particular, it aims for cookie files, Discord login tokens, accounts on game distribution platforms, credit card info and cryptocurrency wallets. The last two categories of information are obtained through digging the extensions installed in the browser. Malware checks them by the list of installed plugins and, once getting a match, steals the data these plugins store locally. This technique is different from what is usually applied by stealers.

Besides the categories of data I have mentioned before, Luca Stealer also grabs the information about the attacked system. Using the specific calls, it receives the system memory amount, swap file size, number of CPU cores and so on. After finishing the data collection, Luca packs it into the zip archive and sends it via Discord webhooks, or through bots in Telegram. The choice depends on the size of the resulting file.

There is a single significant difference between Luca and other stealers. It is not able to hijack the cryptocurrency transactions through editing the data copied to clipboard. Still, that function is highly notable for antivirus software. Reading the clipboard contents without the user’s command is suspicious, so the absence of this function makes this malware harder to detect. Moreover, stealing the entire wallet instead of the single transaction may be much more profitable, and the former has more chances to remain undetected.

Luca stealer spreading

It is not clear how exactly this stealer spread. Luca is quite stealthy, as only each fifth antimalware vendor among present on VirusTotal actually detects it. It is likely caused by the programming language of this malware – Rust. It has already appeared in ALPHV/BlackCat ransomware, and showed up as the great way to mask the malware. Additionally, that makes it easier for the crooks to make their malware cross-platform. Usual ways of stealer distribution – through the malicious spamming on different platforms and phishing – will fit Luca as well. But which one will the cybercriminals actually opt for – only God knows.

A few days ago an individual on XSS leaked [sic](shared?) the source code to a Rust-based data theft malware.

We have added it to the vx-underground Malware Source Code collection on GitHub:

/Leaks/Win32/Win32.Rust.LucaStealerhttps://t.co/5RHeEYWYth

— vx-underground (@vxunderground) July 26, 2022

Is there a reason to be concerned?

There is always a reason to be concerned, if you have anything valuable in a digital form. Cryptocurrencies prices are going up, and so do the hackers’ interest to someones’ savings in crypto. The full-scale pandemic of cryptostealers is already gone, but that makes each new stealer with the ability to dig into crypto wallets even more hazardous. Such programs now cannot just rely on an increased demand on the black market. They should offer something ridiculous – or will definitely fail. There are already around 25 cases of Luca Stealer usage in the wild. Not pretty impressive – but still a lot for a newbie that appeared several days ago.

It is recommended to keep all login information in a separate application, rather than in the web browser. But it will be much better to avoid the infection at all by following the rules of cybersecurity. It is better to make the situation less possible, but never deny the probability of such an unpleasant case.

The post Luca Stealer Source Code Published In The Darknet appeared first on Gridinsoft Blog.