blog.cyble.com
Open in
urlscan Pro
192.0.78.183
Public Scan
URL:
https://blog.cyble.com/2023/07/21/fabricated-microsoft-crypto-wallet-phishing-site-spreads-infostealer/
Submission: On July 22 via api from FI — Scanned from FI
Submission: On July 22 via api from FI — Scanned from FI
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
Main Menu
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* Odin (Internet Scanning)
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
* Request Demo
FABRICATED MICROSOFT CRYPTO WALLET PHISHING SITE SPREADS INFOSTEALER
* July 21, 2023
LUCA STEALER MAKING WAVES IN THE CYBER THREAT LANDSCAPE
Launching new products generates excitement and eagerness among consumers, who
eagerly anticipate the latest technological innovations and advancements.
However, this excitement also attracts malicious intent.
Threat Actors (TAs) often take advantage of the hype surrounding new product
releases to carry out their devious schemes. These cybercriminals create
deceptive phishing sites that impersonate legitimate platforms, seeking to
compromise users’ security and privacy. Through these fraudulent websites, TAs
deliver malware payloads disguised as genuine applications, leading to
potentially severe consequences for unsuspecting users.
Cyble Research and Intelligence Labs (CRIL) has recently discovered a phishing
website with the URL “hxxps[:]//microsoft-en[.]com/cryptowallet/,” which is
deceptively posing as the legitimate Microsoft Crypto Wallet platform. The main
victims targeted by this fraudulent site are cryptocurrency enthusiasts. The
site employs a clever disguise, prompting users to download an executable file
that supposedly represents the official Crypto Wallet.
Unfortunately, beneath the facade of offering a cutting-edge cryptocurrency
solution, this deceptive website harbors a malicious InfoStealer named “Luca
Stealer.” The primary purpose of Luca Stealer is to gather sensitive information
and personal data from unsuspecting users covertly.
The below figure shows the Microsoft Crypto Wallet phishing site.
Figure 1 – Phishing Site
Several months ago, news surfaced regarding Microsoft’s plan to develop a Crypto
Wallet exclusively for its Edge browser. In light of this development, a
concerning phishing site depicted in Figure 1 has come to our attention.
Although the exact motives behind the creation of this phishing site remain
unclear, there are indications that a threat actor (TA) could be exploiting the
news to carry out malicious attacks.
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock This Content
One notable detail on the phishing site is the reference to a beta version of
the Crypto Wallet application. This mention further strengthens the possibility
that the TA is taking advantage of Microsoft’s Crypto Wallet development to lure
users into their trap. The attackers aim to deceive users into believing they
are accessing an authentic platform by impersonating a legitimate source and
referencing the beta version.
ANALYSIS
The file downloaded from this site (SHA256:
480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1) is 64-bit
executable.
The figure below shows the file details.
Figure 2 – File Details
Through our investigation, we identified the executable as Luca Stealer. This
determination was primarily based on the existence of a significant number of
identical strings present in both the suspect executable and the known Luca
Stealer source code. This malware is crafted using the Rust programming
language, and it initially surfaced on cybercrime forums in the year 2022.
Moreover, our earlier blog shed light on the source code for Luca Stealer, which
was openly shared and made available on a cybercrime forum.
The figure provided below clearly illustrates the shared strings that were
instrumental in our identification process.
Figure 3 – Common Strings
Luca Stealer has garnered increasing popularity within cybercrime forums due to
its open-source nature and being developed in Rust. As a result, multiple TAs
have joined forces to enhance its functionalities and optimize its performance.
Notably, the source code of this malware has been observed on various platforms,
with GitHub and TOR being prominent hosts. This widespread distribution ensures
that the code remains easily accessible to a wide range of potential TAs.
The availability of the source code on these platforms facilitates modifications
and customizations, allowing TAs to create tailored versions of the malware to
suit their nefarious objectives.
Figure 4 – Hosted on Different Platforms
During closer examination, a significant update to this stealer revealed the
implementation of two noteworthy techniques – Clipper and AntiVM.
The introduction of Clippers marked a concerning development as it enables TAs
to intercept and manipulate cryptocurrency addresses during transactions.
Through this malicious maneuver, funds intended for one recipient are diverted
to the attacker’s wallet instead, resulting in significant financial losses for
the victim.
What sets this Clipper apart is its versatility. While its primary focus is
cryptocurrency theft, it does not limit its targets to only cryptocurrencies.
Instead, it also extends its reach to target IBANs (International Bank Account
Numbers). By doing so, the Clipper expands its potential victims to include
those engaged in traditional banking transactions, amplifying the risks for a
broader range of users.
The scope of the Clipper’s cryptocurrency targets is extensive, comprising
popular cryptocurrencies such as XMR, BNB, TRX, ETH, BTC, DOGE, BCH, LTC, DASH,
XRP, ADA, TON, NEO, ETC, SOL, ZEC, ALGO, and XLM. By focusing on these
high-value cryptocurrencies, the attackers aim to maximize their illicit gains
and capitalize on the widespread usage and investment in these digital assets.
AntiVM is a defense evasion technique using which TAs can prevent the execution
of malware in a virtualized environment. We have observed an additional AntiVM
technique in this stealer, which sets it apart from the older binary version.
This variant of Luca stealer now checks the system temperature using a WMI
query, specifically using the command “SELECT * FROM
MSAcpi_ThermalZoneTemperature”.
Most virtual machines return an error when executing the query “SELECT * FROM
MSAcpi_ThermalZoneTemperature.” As a result, the malware uses this strategy to
skip the execution in virtualized environments. This behavior assumes that the
absence of valid temperature data or the occurrence of errors indicates that the
system is running in a virtualized environment. As a result, the malware tries
to remain undetected and evades potential security measures that could be
triggered in virtual machine setups.
This technique has been employed in the past by malware strains such as
GravityRAT.
The figure below illustrates the WMI query used by the stealer.
Figure 5 – WMI Query
This stealer targets the following cold crypto wallets:
AtomicWalletExodusJaxxWalletElectrumByteCoin
This stealer variant targets the following browsers.
EdgeChedot (Chedot)Elements BrowserTorchOperaChromiumChrome CanaryEpic Privacy
BrowserUC BrowserOpera Stable7starChrome SxSChromeUranOpera GXAmigoGoogle
ChromeKometaCozMediaChromePlusBraveCocCoc BrowserOrbitumVivaldiMapple
StudioCentBrowserDragon (Comodo Dragon)SputnikAtomIridiumSleipnir
5CitrioWooGambleQip Surf360browser
Following the stealer targets Browser extensions.
EOS AuthenticatorNorton Password ManagerSolletLeaf WalletBitwardenAvira Password
ManaagerICONexCyano WalletKeePassXCTrezor Password ManagerKHCCyano Wallet
ProDashlaneMetaMaskTezBoxNabox Wallet1PasswordTronLinkByonePolymesh
WalletNordPassBinanceChainOneKeyNifty WalletKeeperCoin98DAppPlayLiquality
WalletRoboFormiWalletBitClipMath WalletLastPassWombatSteem KeychainCoinbase
WalletBrowserPassMEW CXNash ExtensionClover WalletMYKINeoLineHycon Lite
ClientYoroiSplikityTerra StationZilPayGuardaCommonKeyKeplrSolletEQUAL WalletZoho
VaultNorton Password ManagerICONexBitApp Wallet
To fetch the IP of infected system, this stealer makes a GET request to
hxxps://myip[.]ch. The figure below shows the network activity.
Figure 6 – GET Request
Once it gathers the targeted information, it compresses the data to streamline
its transfer process. To send the stolen data discreetly, the malware leverages
a telegram bot, utilizing the Telegram messaging platform as a covert
communication channel. Furthermore, it sends chat messages containing
statistical information about the stolen data. Although straightforward, this
functionality provides the attacker with real-time updates on the quantity and
nature of the compromised data.
CONCLUSION
Luca Stealer shares several key characteristics typical of InfoStealers, but
what sets it apart is its specialized emphasis on targeting data associated with
cryptocurrency wallets and password management software. This refined focus
highlights the malicious intent to exploit the growing popularity and value of
cryptocurrencies, as well as the potential for acquiring sensitive login
credentials.
The fact that Luca Stealer’s source code is open source further compounds the
concern. As more TAs gain access to the codebase, the potential for
customization and adaptation of the malware increases significantly. This
accessibility allows cybercriminals to create unique variants and modify the
behavior of Luca Stealer to suit their specific objectives. Consequently, we can
expect a continuous surge in the number of stealer binaries targeting users.
OUR RECOMMENDATIONS
We have listed some of the essential cybersecurity best practices that create
the first line of control against attackers. We recommend that our readers
follow the suggestions given below:
* Avoid downloading pirated software from warez/torrent websites. The “Hack
Tool” present on sites such as YouTube, torrent sites, etc., typically
contains such malware.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices.
* Use a reputed antivirus and internet security software package on your
connected devices, including PC, laptop, and mobile.
* Refrain from opening untrusted links and email attachments without first
verifying their authenticity.
* Educate employees in terms of protecting themselves from threats like
phishing’s/untrusted URLs.
* Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
* Monitor the beacon on the network level to block data exfiltration by malware
or TAs.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Initial Access T1566 Phishing
Execution T1204 User Execution Defense EvasionT1497Virtualization/Sandbox
Evasion Credential Access T1555
T1539
T1552 Credentials from Password Stores
Steal Web Session Cookie
Unsecured Credentials Collection T1113 Screen Capture Discovery T1087
T1518
T1057
T1124
T1007
T1614
T1120 Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery
Peripheral Device Discovery Command and Control T1571
T1095 Non-Standard Port
Non-Application Layer Protocol Exfiltration T1041 Exfiltration Over C2
Channel
INDICATORS OF COMPROMISE (IOCS):
Indicators Indicator type Description
hxxps[:]//microsoft-en[.]com/cryptowallet/cryptowalletinstaller[.]exe
hxxps[:]//microsoft-en[.]com/cryptowallet/ URL Phishing
Site 2753fea9125455e452e1951295158bc5
4238700742f6540119fc40f8f001fa1b5da99425
480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1 MD5
SHA1 SHA256 Luca Stealer
RECENT BLOGS
FABRICATED MICROSOFT CRYPTO WALLET PHISHING SITE SPREADS INFOSTEALER
July 21, 2023
KANTI: A NIM-BASED RANSOMWARE UNLEASHED IN THE WILD
July 20, 2023
TROJANIZED APPLICATION PREYING ON TEAMVIEWER USERS
July 13, 2023
PrevPreviousKanti: A NIM-Based Ransomware Unleashed in the Wild
July 21, 2023
Cyble Research and Intelligence Labs analyzes Threat Actors spreading Luca
Stealer disguised as a beta version of Microsoft Crypto Wallet.
Read More »
July 20, 2023
Cyble Research and Intelligence Labs analyzes Kanti, a new NIM-based ransomware
targeting cryptocurrency users.
Read More »
July 13, 2023
Cyble Research & Intelligence Labs analyzes a trojanized version of the
TeamViewer application and how it distributes njRAT.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences