Insights, news, education and announcements from PolySwarm

Luca Stealer

Written by PolySwarm Team | Aug 8, 2022 7:41:00 PM



Executive Summary

Cyble recently reported on Luca Stealer, a Rust based stealer malware targeting Windows.

Key Takeaways

  • Luca Stealer is written in Rust and targets Windows systems.
  • Its source code was leaked on a cybercrime forum and was later posted to GitHub.
  • Luca Stealer targets a variety of browsers, chat applications, password managers, crypto wallets, and gaming applications.
What is Luca Stealer?
Luca Stealer is a stealer malware written in Rust and targets Windows systems. Luca Stealer’s source code was leaked in early July on a popular cybercrime forum. Cyble assessed the threat actor responsible for Luca Stealer intentionally leaked the source code to build a reputation for themselves and later posted the source code on GitHub. The developer also offered information on modifying the stealer and compiling the source code to create custom-tailored versions of the malware. Cyble noted multiple threat actors seemed to have contributed to the malware’s development. At the time of Cyble’s analysis, Luca Stealer had been updated three times, with multiple functions added. Cyble has observed over 25 samples of Luca Stealer in the wild.

Luca Stealer targets Chromium-based browsers, chat applications, password managers, crypto wallets, and gaming applications and is capable of stealing a victim’s files. It originally used a Telegram bot to exfiltrate stolen data but was later modified to use Discord due to file upload limitations with Telegram. Applications targeted by Luca Stealer include the following:
  • Edge
  • Chromium
  • 7star
  • Amigo
  • Breave
  • Centbrowser
  • Chedot
  • Chrome_canary
  • Coccoc
  • Dragon
  • Elements-browser
  • Epic-privacy-browser
  • Chrome
  • Kometa
  • Orbitum
  • Sputnik
  • Torchne
  • Ucozmedia
  • Vivaldi
  • Atom-mailru
  • Operane
  • Opera
  • ChromePlus
  • Iridium
  • Fenrir-inc
  • Catalinagroup
  • Coowoo
  • Liebao
  • Qip-surf
  • 360browser
  • EOS Authenticator
  • Bitwarden
  • KeePassXC
  • Dashlane
  • 1Password
  • NordPass
  • Keeper
  • RoboForm
  • LastPass
  • BrowserPAss
  • MYKI
  • Splikity
  • CommonKey
  • Zoho Vault
  • Norton Password Manager
  • Avira Password Manager
  • Trezor Password Manager
  • Coin98
  • iWallet
  • Wombat
  • MEW CX
  • NeoLine
  • Terra Station
  • Keplr
  • Sollet
  • ICONex
  • KHC
  • TezBox
  • Byone
  • OneKey
  • DAppPlay
  • MetaMask
  • TronLink
  • BitClip
  • Steem Keychain
  • Nash Extension
  • Hycon Lite Client
  • ZilPay
  • Leaf Wallet
  • Cyano Wallet
  • Cyano Wallet Pro
  • Nabox Wallet
  • Polymesh Wallet
  • Nifty Wallet
  • Liquality Wallet
  • EQUAL Wallet
  • BitApp Wallet
  • Auro Wallet
  • Saturn Wallet
  • Ronin Wallet
  • Math Wallet
  • Coinbase Wallet
  • Clover Wallet
  • Yoroi
  • Guarda
  • BinanceChain
  • Skype
  • ICQ
  • Telegram
  • Element
  • Steam
  • Discord 
  • Uplay
Luca Stealer is capable of taking system screenshots and gathering multiple types of information. This information includes but is not limited to the victim’s geolocation, IP, memory size, network interface, username, desktop environment, device name, operating system, hostname, preferred language, list of running processes, login credentials, crypto wallet information, credit card information, and browser cookies.

Cyble notes Rust is becoming a programming language of choice for malware developers due to its versatility, ability to evade detection, and anti-analysis features that make reverse engineering difficult. Due to Luca Stealer’s source code becoming publicly available, they assess a high likelihood of added functionality in the future, with multiple threat actors using the malware.

IOCs

PolySwarm has multiple samples of Luca Stealer.

2e9a2e5098bf7140b2279fb2825ea77af576f36a93f36cad7938f4588d234d3a

4029583855e92b84363f6609bd578bd1b4bafb3aae479f0dbf4da2e15ce569f2


You can use the following CLI command to search for all Luca Stealer samples in our portal:

$ polyswarm link list -f Lucastealer

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports