In today’s digital landscape, the rise of malware presents significant threats to both personal and organizational security. One particular category of malware, known as stealers, is specifically designed to exfiltrate sensitive data, including login credentials and financial information.

In this blog, we will explore how stealers operate, their impact on cybersecurity, and effective strategies to protect your data from these threats. Understanding these malicious tools is essential for maintaining your digital security. Here, we will delve into one notable stealer: Luca Stealer.

What is Luca Stealer?

Luca Stealer is an open-source, Rust-based Windows stealer specifically designed to exfiltrate sensitive data from applications and cryptocurrency wallets, as well as manipulate clipboard contents. The stealer can target multiple Chromium-based browsers, chat applications, crypto wallets, and gaming applications, and has the added functionality of stealing victims’ files. Developed by an individual known as Luca, the source code for this malware was intentionally released in July 2022 on underground forums and GitHub, aiming to boost the creator's reputation within the cybercriminal community. This open-source nature not only enhances Luca's visibility but also encourages other malicious actors to modify and deploy the stealer.

Since its release, Luca Stealer has undergone multiple updates, both from the original author and various threat actors.

These updates have significantly enhanced Luca Stealer's potential for damage. This malware can target various applications, including Telegram, Discord, ICQ, Skype, and Element, gathering login credentials, siphoning off private information, accessing cryptocurrency wallets, and manipulating clipboards.

How Luca Stealer Works?

In this section, we will explore the internal mechanics of Luca Stealer by closely examining its source code and how Luca Stealer distributes.

Distribution Methods

Luca Stealer has been notably distributed through phishing attacks targeting cryptocurrency users. Last year, Microsoft announced plans to create a crypto wallet for its Edge browser, sparking interest among users. Cybercriminals quickly capitalized on this news by creating a website that closely mimicked Microsoft’s legitimate site.

Gridinsoft security researchers discovered this phishing site, which featured a convincing design and the URL hxxps[:]//microsoft-en[.]com/cryptowallet/, making it appear legitimate. The site invited users to download a beta version of the crypto wallet, but instead of the promised software, users unknowingly downloaded Luca Stealer.

Overview of the Code

Luca Stealer is developed in Rust, a language renowned for its performance and safety features, which make it a powerful tool for data exfiltration. Its efficiency and capability for low-level memory management have made Rust increasingly popular among hackers and threat actors. Below, we will highlight key segments of the code to illustrate its inner workings.

Key Code Snippets:

Luca Stealer's Data Exfiltration Methods

Initially designed to exfiltrate data via a Telegram bot, it later added Discord webhook compatibility due to a 50 MB upload limit. In the latest version, Discord support was removed, introducing two new features: GATE and ONIONGATE.

‍

Clipboard Manipulation

This stealer also includes clipboard functionality, using regex to search for wallet addresses in the clipboard and replace them.

Targeted Applications

Luca Stealer targets a wide range of applications to maximize its data exfiltration capabilities. Below is a list of the categories and specific applications it can compromise:

• Messengers: Telegram
• Browsers: Firefox, Chromium-based browsers (e.g., Chrome, Edge)
• Cold Wallets
• Hot Wallets

Data Collections

The stealer creates a log file named user_info.txt and adds all the information about the victim, including country, username, desktop environment, operating system, city, postal code, ISP, timezone, and connection details. It also includes a summary of all the data that was stolen, such as the count of stolen accounts, passwords, credit card information, and screenshots. This data is compiled into a zip file in the user's temp directory and sent using the provided methods, such as Telegram or OnionGate.

Persistence Mechanism

Luca Stealer employs sophisticated persistence techniques to ensure it remains active on a victim's machine even after a reboot. This is crucial for malware, as it allows continuous access to sensitive data without requiring the user to execute it again.

The code utilizes the following methods for persistence:

1. Check for Elevated Privileges: The stealer first checks if it is running with administrative privileges. This is essential for creating scheduled tasks that can run with elevated permissions.
2. Scheduled Tasks: If the stealer has the necessary permissions, it creates a scheduled task using the Windows schtasks command. This task is configured to trigger on user logon, ensuring that the stealer executes automatically whenever the victim logs into their account.
3. Startup Folder: Additionally, the stealer copies itself to the Windows Startup folder. This method guarantees that it runs whenever the system starts, providing another layer of persistence.

By combining these techniques, Luca Stealer ensures that it can maintain its presence on the victim’s machine, continuously siphoning off sensitive information and remaining hidden from the user's awareness.

Anti-Debug and Anti-Emulation Features

Luca Stealer incorporates advanced measures to protect itself from reverse engineering and analysis. These features are crucial for maintaining the malware’s effectiveness and evading detection by security researchers.

1. Anti-Debugging: The stealer employs functions to detect if it is being debugged. It uses Windows API calls to check for the presence of debuggers. If a debugger is detected, the malware can terminate itself or alter its behavior to avoid analysis. This makes it significantly harder for researchers to understand its inner workings.
2. Anti-Emulation: Additionally, Luca Stealer is designed to detect when it is running in a virtualized or emulated environment. By identifying such conditions, the malware can alter its execution path or shut down, further complicating efforts to study its behavior in safe environments.

These protective features highlight the increasing sophistication of malware, making it imperative for cybersecurity professionals to develop more advanced tools and techniques to counteract these evasion tactics.

String Obfuscation

This stealer employs the obfstr crate to obscure all strings, commands, and tokens, including those used for Telegram. This technique enhances Luca Stealer's ability to evade detection by security measures and analysis tools. By hiding critical information through obfuscation, the malware maintains operational security, ensuring prolonged effectiveness in compromising target systems.

There are numerous other dangerous functions integrated into the stealer that remain to be explored. As of the current writing, cybercriminals are consistently enhancing the stealer's capabilities to inflict more extensive damage.

Risks and Impacts

Luca Stealer poses significant risks to both individuals and organizations, making it essential to understand its potential consequences.

• Data Breaches: The primary function of Luca Stealer is to exfiltrate sensitive information, such as login credentials and financial data, leading to serious data breaches.
• Financial Loss: Organizations may face substantial financial losses due to unauthorized transactions and recovery costs, along with potential legal liabilities from compromised data.
• Reputational Damage: For businesses, a data breach can result in reputational harm, eroding customer trust and loyalty.

Protection Strategies

To protect against Luca Stealer and similar malware, consider the following strategies:

1. Use Strong Passwords: Create complex passwords and use a password manager.
2. Enable Two-Factor Authentication (2FA): Add an extra layer of security to your accounts.
3. Keep Software Updated: Regularly update your operating system and applications to patch vulnerabilities.
4. Install Security Software: Use reputable antivirus solutions for real-time protection.
5. Be Cautious with Downloads: Avoid downloading files from untrusted sources.
6. Educate Yourself and Your Team: Stay informed about cybersecurity threats and recognize phishing attempts.
7. Backup Important Data: Regularly back up your data to recover it in case of an attack.
8. Monitor Your Accounts: Check for unauthorized activity on your accounts regularly.

Implementing these strategies can significantly reduce your risk of falling victim to malware like Luca Stealer.

Conclusion

In conclusion, malware like Luca Stealer presents significant dangers by compromising sensitive data and leading to potential financial losses, reputational damage, and broader security breaches. Such threats signify the initial steps towards more devastating cyberattacks like ransomware and large-scale data breaches. In 2024, data stealers remain a persistent and increasingly dangerous cyber threat. Implementing strong cybersecurity practices is crucial to mitigate these risks and protect against evolving threats in today's digital landscape.

References

1. https://gridinsoft.com/blogs/luca-stealer-phishing-microsoft-crypto-wallet/

‍