Threat Research

Cyble – LOLI Stealer – Golang-based InfoStealer Spotted In The Wild

Securonix

LOLI Stealer is a Golang-based infostealer sold via a MaaS model, capable of stealing passwords, cookies, wallet data, and screenshots from infected machines. Cyble Research Labs tracked LOLI Stealer and its evolving capabilities, including data exfiltration to a C2 and anti-analysis checks, with multiple samples observed in the wild. #LOLIStealer #CybleResearchLabs

Keypoints

  • LOLI Stealer is a Golang-based infostealer that has reappeared in recent weeks with over 20 samples identified since June 2022.
  • It is advertised and deployed via a MaaS model at low prices (roughly $9–$25 USD for different periods/lifetime access).
  • The malware targets a wide range of data, including passwords, cookies, browser histories, wallet data from 10 wallets, and Telegram/Steam session data.
  • Anti-analysis techniques are used (e.g., detection of WINE environments) and the binary is UPX-packed to hinder analysis.
  • LOLI Stealer creates a random folder in the user’s home directory to stash stolen data, then collects data from local systems and browser directories, and finally archives data into ZIP and Base64 formats for exfiltration.
  • Data is exfiltrated over a C2 channel (URL shown in the article), and the malware deletes stolen files after successful exfiltration.
  • Cyble notes the campaign is active with numerous samples and recommends standard hardening measures and user education to mitigate such threats.

MITRE Techniques

  • [T1204] User Execution – The malware is executed by the user; “Upon executing the malware file, it attempts to identify if the file is running in a WINE environment by checking the wine_get_version() function via the GetProcAddress API.”
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis behavior by detecting a WINE environment as part of execution; “identifying if the file is running in a WINE environment…”
  • [T1027] Software Packing – The binary is packed with UPX; “a 64-bit executable file packed with UPX.”
  • [T1518] File and Directory Discovery – The stealer reads files from specific directories to gather data; “querying and reading files from the below-mentioned directories.”
  • [T1082] System Information Discovery – The sample contains a Go build identity used for environment awareness; “The unique build ID of the Go compiled binary is shown below.”
  • [T1552] Credentials In Files – The stealer harvests browser credentials (passwords) and other sensitive data; “Stealing passwords, cookies, histories, etc. from a huge number of browsers based on Gecko/Chromium.”
  • [T1005] Data from Local System – Data is collected from the local machine (wallets, browser data) before exfiltration; “The stealer starts extracting crypto wallet information by querying and reading files from the below-mentioned directories.”
  • [T1560] Archive Collected Data – The stolen data is archived before exfiltration; “After collecting all the information, the stealer creates a ZIP archive out of the stolen files for exfiltration.”
  • [T1113] Screen Capture – The malware captures screenshots; “takes a screenshot of the victim’s machine using the BitBlt() API function from the Gdi32.dll.”
  • [T1071] Application Layer Protocol – Data is exfiltrated via a web request to a C2 URL; “the stealer sends the Base64-encoded ZIP file… to the URL: hxxp[:]//webStealer[.]ru/gate[.]php.”

Indicators of Compromise

  • [Hash] MD5 – 09e7df1b7af441df97311eb490cf6253 – associated with DsMicrosoft_Launcher.exe
  • [Hash] SHA256 – 595142ac0ecaf32e5cd9a477f440bac99b52dcc6c2fa083424d5007fdf0caeec – associated with DsMicrosoft_Launcher.exe
  • [URL] C2 – hxxp[:]//webStealer[.]ru/gate[.]php – used for data exfiltration to the C2 server
  • [Domain] Domain – webStealer.ru – C2 domain appearing in the exfil network
  • [File] File name – DsMicrosoft_Launcher.exe – shown in the sample IOCs

Read more: https://blog.cyble.com/2022/08/03/loli-stealer-golang-based-infostealer-spotted-in-the-wild/