This article is more than 1 year old
Luca Stealer malware spreads rapidly after code handily appears on GitHub
Cool, another Rust project ... Oh
A new info-stealer malware is spreading rapidly in the wild as the developer behind it continues to add capabilities and recently released the source code on GitHub.
In addition, the Windows software nasty – dubbed Luca Stealer by the folks at Cyble who detected it – is the latest to be built using the Rust programming language.
The researchers wrote in a report that Luca Stealer already has been updated three times, with the developer adding multiple functions, and that they have seen more than 25 samples of the source code in the wild since it was shared via GitHub on July 3, which may lead to wider adoption by the cybercriminal community.
"The developer of the stealer appears to be new on the cybercrime forum and likely leaked the source code of the stealer to build a reputation for themselves," the researchers wrote. "The developer has also provided the steps to modify the stealer and compile the source code for ease of use."
They noted that Rust is becoming a go-to programming language for malware developers because of its versatility, cross-platform nature, and that the generated code can seem alien to some reverse engineers and their tools, hindering analysis. The prolific Hive ransomware crew this year migrated its source code from Go to Rust, which analysts with Microsoft's Threat Intelligence Center earlier this month said made the exortionware more stable and more difficult to reverse engineer.
Other threat groups also are adopting Rust, including the BlackCat ransomware-as-a-service gang. In addition, Kaspersky security researchers this month wrote about a new ransomware family – Luna – that is written in Rust. We're not too surprised by this: Rust is seen as an up and coming general-purpose language that programmers are using for all kinds of projects, legit and malicious.
"Rust is to C as Go is to Java," Casey Bisson, head of product and developer enablement at code security business BluBracket, told The Register. "It's fast, compact, and modern. The Cargo package manager offers developer convenience similar to that of Go and Node.js, with performance more similar to C. Rust's native support for linking against C libraries, such as those used to provide code services in many operating systems, is a great convenience for attackers."
- Cyber-mercenaries for hire represent shifting criminal business model
- Google pulls malware-infected apps in its Store, over 3 million users at risk
- Thousands of websites run buggy WordPress plugin that allows complete takeover
- FBI and MI5 bosses: China cheats and steals at massive scale
Bisson added that the "combination of developer convenience, capability, and performance will make it an increasingly common development platform for new threats. The novelty of the platform could mean that many software scanners are unprepared to recognize threat signatures in binaries generated from Rust."
Brendan Hohenadel, adversarial engineer at LARES Consulting, told The Register that Rust is an attractive language due to, among other things, its relative ease of use, its support for accessing Windows APIs, and its memory management approach that aims to make software more stable.
"Threat actors can write malware in Rust that has the same functionality as malware written in more complex languages quicker and more efficiently," Hohenadel said. "Rust, along with other newer programming languages like Golang and Nim, create their executable binaries for static and manual analysis to occur. Other popular languages, such as C++, C#, and .Net are straightforward to decompile and reverse engineer, making it easier for defenders to perform investigations and attribute malicious actions to criminal groups."
That reverse engineering process can be a more time-consuming with code generated by the Rust toolchain, depending on the tools used and experience of the analyst. The executable is compiled in a way that "is effectively a black hole. Gaining information from the executable for attribution without running it in a sandbox or an environment with monitoring software is much more challenging," he said.
Luca Stealer currently only targets Windows OSes, even though Rust is a cross-platform language, according to Cyble researchers. Given that the malware is written in Rust and released for free, it will be adopted by myriad attackers around the world, they wrote.
Once running on a PC – perhaps via a dodgy download or email attachment – Luca Stealer targets more than 30 Chromium-based browsers – stealing login credentials, credit cards and cookies and saving them to a text file for exfiltration – as well as chat applications, cryptocurrency wallets, and gaming applications. It also can steal victims' files.
It initially was designed to exfiltrate stolen data using a Telegram bot, but it was limited to uploading data in sizes up to 50MB, so the developer added compatibility to Discord web hooks.
The malware targets 10 cold crypto wallets for exfiltration, with a hardcoded file-system path of the wallets in the source code. Other targets are browser extensions of password managers and crypto wallets for more than 20 browsers, they wrote. Every browser has a unique ID, which can help attackers search for extensions in the AppData directory.
In addition, Luca Stealer checks compromised systems for Steam, Uplay, and Telegram applications and grabs data from multiple folders. It also looks for four messenger applications: Discord, ICQ, Element, and Skype.
The Cyble researchers laid out a number of ways users can protect themselves from malware like Luca Stealer, including not downloading files from untrusted sources, regularly clearing their browsing histories and resetting passwords, automatically updating software on connected devices, and running antivirus and internet security software on systems.
Enterprises also need to continue to educate employees about threats like phishing and untrusted URLs. ®