Pierluigi Paganini
May 07, 2020
Nowadays, info-stealer is one of the most common threats. This category of malware includes famous malware like Azorult, Agent Tesla, and Hawkeye. Infostealer market is one of the most remunerative for cyber criminals, information gathered from infected systems could be resold in the cybercrime underground or used for credential stuffing attacks.
Over the last two months, we monitored the evolution and the diffusion of an infostealer dubbed by the authors Poulight that most likely has a Russian origin.
Figure 1: C2 Panel of the Poulight infostealer
Poulight was first spotted by MalwareBytes researchers in middle March and indicators of compromise have been already shared among the security community. The malicious code has advanced stealing capabilities and continues to evolve.
| Hash | 8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95 |
| Threat | Poulight Stealer |
| Brief Description | Poulight Stealer |
| Ssdeep | 1536:GJv5McKmdnrc4TXNGx1vZD8qlCGrUZ5Bx5M9D7wOHUN4ZKNJH:GJeunoMXNQC+E5B/MuO0Ogt |
Table 1. Sample information
Like most of the malware of this specific family, it is generated from a builder available to cyber criminal groups that offer a subscription plan for its “product”. The result is a .NET executable:
Figure 2: Static information about the binary file
A peculiarity of this sample is that it does not have a minimal sign of obfuscation, the analysis is quite easy, so describe the malware capabilities. When the malware is launched, it performs a classical evasion technique (as shown in Fig.3):
Figure 3: Evasion Technique
The implemented evasion technique is one of the most classic ones, where, through the usage of Windows Management Instrumentation (WMI) by executing the query “Select * from Win32_ComputerSystem”. In particular, in this way, some checks of the most relevant tracks of virtualization are provided, like:
These checks are also listed from the Al-Khaser or Pafish tools which are intended to be a test suite to detect malware analysis environments and designed to test the strength of the sandboxes.
Then, the malware is able to proceed with the infection starting a new threat called “Starter”.
Figure 4: Loader module of the malware
The “Starter” class contains the routine to load the components of the malware. Before that, there is the inizalitation of some directories and files used to store the gathered information from the victim machine. This action is performed by the first instruction “global::Buffer.Start()”. The method is quite simple: a series of folders were created inside Windows Special folders (AppData, Local AppData, Personal, Desktop) in this way:
Figure 5: Creation of folders in the Windows Special Folders
After that, the malware extracts the configuration file and its parameters from the resource named “String0”. It is a Base64 encoded string and through the following method are then decoded:
Figure 6: Routine to extract the configuration file
Instead, the content of the configuration file is shown in below figure:
| <settings>PHByb2cucGFyYW1zPllXUnRhVzQ9fE1RPT18TUE9PTwvcHJvZy5wYXJhbXM+PHRpdGxlPlVHOTFiR2xuYUhRPTwvdGl0bGU+PGNwZGF0YT5NSHd3ZkRFeVEwNTFTMnRMU3pGNFRFWnZUVGxRTlRoNlYxaHJSVXhOZURGNU5URjZObGw4TVRKRFRuVkxhMHRMTVhoTVJtOU5PVkExT0hwWFdHdEZURTE0TVhrMU1YbzJXWHd3PC9jcGRhdGE+PHVsZmlsZT5hSFIwY0RvdkwzSjFMWFZwWkMwMU1EY3pOVEk1TWpBdWNIQXVjblV2WlhoaGJYQnNaUzVsZUdVPTwvdWxmaWxlPjxtdXRleD5QTDJkNHZGRWdWYlFkZGRka21zMFpoUWlJMEk8L211dGV4Pg==</settings> |
Code snippet 1
Decoding the Base64 string we obtain a list parameters coming from the builder. The result is:
| <prog.params>YWRtaW4=|MQ==|MA==</prog.params><title>UG91bGlnaHQ=</title><cpdata>MHwwfDEyQ051S2tLSzF4TEZvTTlQNTh6V1hrRUxNeDF5NTF6Nll8MTJDTnVLa0tLMXhMRm9NOVA1OHpXWGtFTE14MXk1MXo2WXww</cpdata><ulfile>aHR0cDovL3J1LXVpZC01MDczNTI5MjAucHAucnUvZXhhbXBsZS5leGU=</ulfile><mutex>PL2d4vFEgVbQddddkms0ZhQiI0I</mutex> |
Code snippet 2
The first information tag “prog.params” is immediately retrieved in the instruction “HandlerParams.Start()” seen in Figure 4. Now, a check of a previous infection is performed before starting a new one. The instruction “AntiReplaySender.CheckReplayStart()” (in figure 4) is delegated to do that.
Figure 7: Check of a previous infection
The malware tries to find the id of the mutex, declared inside the relative tag seen in code snippet 2, inside the “%TEMP%” folder. If the file is present, the malware does not execute itself another time, otherwise it writes this empty file to sign the infection is started. After that, we turn into the actual malicious main contained inside the “XS” class , as seen in the figure 4. The first piece of the code is the following:
Figure 8: Initialization of the mail module
The first instruction is “Information.Start()” where all the information about the hardware and software of the host is collected in this way:
Figure 9: Routine for retrieving the configuration of the victim machine
We can notice that the malware uses both English and Russian languages to log the information gathered. After that, the stealer turns to enumerate and log all the active processes inside the operative system.
Figure 10: Routine to extract the process list
Now, as seen in the figure 8, a check on the third parameter is performed. If it is equal to one, the “clipper” module is executed.
Figure 11: Routine to decrypt and execute an embedded component
As show in the above figure, this code is able to decrypt a component contained inside the “clbase” tag with the AES key stored inside the “cpdata” tag. However, in the specific configuration there is no “clbase” field, so we don’t have any other component to install. The last instruction seen in Figure 8 is “CBoard.Start”, which works in the following way:
Figure 12: Routine to steal the clipboard data
The next step is to gathered all the sensitive information on the victim machine:
Figure 14: Stat of the stealing modules
The malware steal a huge amount of data:
The most interesting part is the module “DFiles” instructed to steal the sensitive documents. It starts with searching files with one of the following extensions:
Figure 15: Routine for search the files with the specific extensions
Inside of the collected files, the malware looks for the classic keywords indicating that the content of the files conserve some useful credentials. The keywords are the following:
Figure 16: List of keywords searched inside the documents
Then the malware collect all the information inside an unique data structure and send it to the C2 retrieved in another resource named “connect”:
Figure 17: Routine to upload to the C2 the stolen information
In the end, it downloads and executes other components from the Internet. The parameters are retrieved in the same way seen in the previous section: a tag named “ulfile” contains the component to download.
Figure 18: Routine to download other components from Internet
Poulight stealer has an incredible potential to steal sensitive information. It is not excluded that in the future it might replace other info stealers like Agent Tesla, remcos ecc. However, the limitation of the implant is the lack of code obfuscation and data protection, but this could be explained due the fact that, maybe, the malware is in the early stages of development. The crooks probably will enhance these features, but at the same time, we’ll continue to keep track of them!
Additional technical details, including Indicators of Compromise (IoCs) and Yara rules, are available here:
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Facebook, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
APT / November 18, 2024
