A new malware variant dubbed Luca Stealer is growing in popularity following the release of its source code for free in July. At present, it appears that attacks are at a relatively low level, but the number of variants detected has increased in recent weeks and there is concern that Luca Stealer could become a significant threat. Luca Stealer is suspected of being used in an attack on the Solana blockchain network (SOL) in early August. That attack resulted in threat actors obtaining around $7 million in cryptocurrencies from around 8,000 cryptocurrency wallets.
The malware is written in the Rust programming language and the source code for the malware was released on hacking forums and GitHub for free in early July, although the code has now been removed from GitHub. The developer of the malware claimed to have written it in around 6 hours and released it for free on hacking forums. Dubbed Luca Stealer by security researchers, the malware is an information stealer that targets Windows systems, but the source code could be ported to operating systems such as macOS and Linux.
Luca Stealer targets information stored in around thirty Chromium-based browsers, including Microsoft Edge, Google Chrome, Comodo, Opera, Brave-Browser, and Vivaldi, and steals credit card information, login credentials, auto-fill information, cookies, and information from browser extensions, including Steam accounts, Discord tokens, Ubisoft Play, Telegram, & Skype.
One of the primary functions of the malware is to steal cryptocurrencies, including funds in cold and hot storage, although an analysis of the malware showed that it lacks a clipper that many information stealers have for hijacking cryptocurrency transactions. It is conceivable that a clipper function could be added to Luca Stealer. In the SOL attack, users had funds drained from their hot wallets, such as Phantom, Slope, and TrustWallet, although the malware has the capability to also steal cryptocurrencies from poorly protected cold storage (physical devices).
Luca Stealer targets browser extensions and the browser add-ons of popular password managers, including LastPass, Dashlane, KeePassXC, EOS Auth, Bitwarden, 1Password, Keeper, RoboForm, NordPass, BrowserPass, MYKI, Splikity, CommonKey, Zoho Vault, Norton, Avira, and Trezor. It searches the %AppData% directory to obtain the preset browser extensions of the password managers and attempts to steal cookies and login information.
The information stolen by Luca Stealer is exfiltrated via Discord webhooks or a Telegram bot, with the latter used for smaller transfers of less than 50MB. The malware will also send back a summary of the information stolen in the attack. It is not unusual for information stealers to target the above information, but Luca Stealer appears to focus on cryptocurrency wallets and password managers.
Since the source code for Luca Stealer is in the public domain, it could be used by multiple threat actors and could be independently developed further to target multiple operating systems and further functionality could be added.
What is not currently clear is how the malware is being distributed, but with multiple threat actors having access to the code, it is reasonable to assume that several different methods of distribution could be used. Defending against attacks requires a range of different measures to be implemented to block the most common attack vectors – phishing, drive-by downloads, vulnerability exploitation, and side installation through fake or pirated software. Mitigations that should be considered include:
- Using cold storage for cryptocurrencies with appropriate security to prevent access to cold storage devices or personal computers
- Ensure multi-factor authentication is configured on all accounts, especially password managers
- Avoid storing passwords in web browsers
- Avoid downloading pirated software or executable files from untrusted sources
- Implement spam filters to block phishing attacks
- Ensure you are running the latest versions of software and operating systems
- Businesses should also consider restricting network traffic from a private host or enclave destined to untrusted networks, especially outbound traffic to Telegram and Discord.
BlackBerry has recently published an analysis of Luca Stealer and has provided IoCs and Yara Rules.