Luxy is a 32-bit .NET malware that combines credential theft with ransomware, targeting browsers and wallets. It steals user credentials and browser data via Telegram, encrypts files with AES256, and leaves a ransom note with a decryption key. #Luxy #UmbralStealer
Keypoints
- Malware Type: Luxy is a combined stealer and ransomware.
- Stealing Mechanism: Collects user passwords and browser details, similar to Umbral stealer, via Telegram.
- Ransomware Functionality: Encrypts files and leaves a ransom note with decryption instructions.
- Execution Control: Uses a mutex for single instance execution and checks for network connectivity.
- VM Detection: Identifies virtual machines and terminates if detected.
- Blacklist Checks: Compares system UUID and running processes against blacklists to avoid detection.
- Extended Theft: Targets cookies, passwords across multiple browsers, cryptocurrency wallets, Minecraft sessions, and Roblox cookies.
MITRE Techniques
- [T1003] Credential Dumping – Steals passwords and cookies from browsers. ‘Steals passwords and cookies from browsers.’
- [T1486] Data Encrypted for Impact – Encrypts files using AES256 and leaves a ransom note. ‘Encrypts files using AES256 and leaves a ransom note.’
- [T1055] Process Injection – Uses mutex to ensure single instance execution. ‘mutex for single instance execution.’
- [T1497] Virtualization/Sandbox Evasion – Checks for virtual machine indicators and terminates if detected. ‘Checks for virtual machine indicators and terminates if detected.’
- [T1112] Modify Registry – Changes the hosts file to block access to certain websites. ‘Changes the hosts file to block access to certain websites.’
Indicators of Compromise
- [Hash] Context – 09B5F5200E59D3A4623D739661CE9832
Read more: https://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/