Threat Research

Cyble – Luca Stealer Source Code Leaked On A Cybercrime Forum

Securonix

Cyble Research Labs analyzed Luca Stealer, a Rust-based stealer targeting Chromium browsers, crypto wallets, chat apps, and games, whose source code leaked on a cybercrime forum in July 2022. Since then, the malware has seen multiple updates and wider adoption after the source also appeared on GitHub. Hashtags: #LucaStealer #Rust

Keypoints

  • Luca Stealer is a Rust-based malware discovered during threat/hunting activity, with over 25 samples in the wild.
  • It targets Chromium-based browsers, chat apps, crypto wallets, and gaming apps, and can exfiltrate other files as well.
  • Initial data exfiltration used a Telegram bot; later support for Discord webhooks was added to handle larger payloads.
  • Multiple Threat Actors (TAs) appear to have contributed to its development, according to accompanying figures and logs.
  • The malware automatically collects system info, IP/geolocation, screenshots, browser data, wallet data, and session tokens, then bundles and exfiltrates them via Discord or Telegram.
  • It uses Windows-specific paths (LocalAppData, AppData, Temp) and a hidden logsxc folder to store stolen data before exfiltration.
  • At present, Luca Stealer targets Windows and could expand to other platforms; defenders are advised to block exfil channels and monitor for similar tool deployments.

MITRE Techniques

  • [T1204] User Execution – The developer has also provided the steps to modify the stealer and compile the source code for ease of use. Quote: “the developer has also provided the steps to modify the stealer and compile the source code for ease of use.”
  • [T1113] Screen Capture – The stealer uses the screenshots library to grab a screenshot of the victim’s system and saves that as a .png file for exfiltration. Quote: “The stealer then uses the screenshots library to grab a screenshot of the victim’s system and saves that as a .png file for exfiltration.”
  • [T1555] Credentials from Password Stores – The stealer targets Chromium-based browsers and steals Login Credentials, Credit Cards, and Cookies from browsers, with decryption using DPAPI. Quote: “stolen Login Credentials, Credit Cards, and Cookies from browsers and saves it to a text file for exfiltration. To decrypt browser data, the stealer leverages the DPapi.CryptUnprotectData() function.”
  • [T1020] Automated Exfiltration – Data is prepared and exfiltrated via automated channels (Discord webhooks or Telegram bot). Quote: “exfiltrates this data using Discord Webhooks or a Telegram Bot.”
  • [T1071] Application Layer Protocol – Exfiltration channels use application-layer protocols (Discord/Telegram). Quote: “exfiltrates this data using Discord Webhooks or a Telegram Bot.”
  • [T1518] Software Discovery – The stealer uses environment variables to locate LocalAppData and checks for a logsxc folder before execution. Quote: “Using the environment variable %localappdata%, the stealer identifies the path of the LocalAppData folder. Before initiating stealing activities, it checks if the ‘logsxc’ folder is present in the AppData directory.”

Indicators of Compromise

  • [MD5] Stealer Payload – 60a9f28b0fb727587b7b8fd326a86685, 5deb33f73ddf3ce8592207a1017b39cd, and 2 more hashes
  • [SHA-1] Stealer Payload – b0dbef65d1c3575f0e4fe6c466a952deeed804a1, 08042ae79e699583602ae7a55d7e2b3d945921d2, and 2 more hashes
  • [SHA-256] Stealer Payload – 2e9a2e5098bf7140b2279fb2825ea77af576f36a93f36cad7938f4588d234d3a, 4029583855e92b84363f6609bd578bd1b4bafb3aae479f0dbf4da2e15ce569f2, and 2 more hashes

Read more: https://blog.cyble.com/2022/07/25/luca-stealer-source-code-leaked-on-a-cybercrime-forum/