New Stealer Being Sold Via MaaS Model
Cyble Research Labs has been actively monitoring various Stealers and blogging about them to keep our readers aware and informed. Recently, we came across a malware sample which turned out to be a new malware variant named “LOLI Stealer.”
LOLI Stealer is an Info Stealer that steals sensitive information such as passwords, cookies, screenshots, etc., and exfiltrates this data from the victim’s machine.
LOLI Stealer initially surfaced on cybercrime forums around June 2022. The post made by the TA on a cybercrime forum is shown below.
The figure below shows one of TA’s advertisements in a cybercrime forum.
The TA sells this stealer for fairly low prices, as listed below:
- 499 rubles (~9USD) – a month
- 799 rubles (~14USD) – 2 months
- 1499 rubles (~25USD) – lifetime + universal sorter as a gift
Additionally, the TA has claimed that the stealer has the following features in their post:
- Stealing passwords, cookies, histories, etc. from a huge number of browsers based on Gecko/Chromium
- Gathering wallet information from 10 cryptocurrency wallets,
- Extracting session data from the Telegram and Steam applications.
The below figure shows the post made by the TA on a cybercrime forum.
Through the course of our research, we have identified over 20 different samples related to LOLI malware since June 2022, indicating that the malware has been actively deployed in recent weeks.
The below figure shows the LOLI stealer’s active C&C panel.
Technical Analysis
We have taken the below sample hash for our analysis: (SHA256), 595142ac0ecaf32e5cd9a477f440bac99b52dcc6c2fa083424d5007fdf0caeec, which is a 64-bit executable file packed with UPX.
After conducting a string analysis of the unpacked UPX file, we confirmed that the file is a Golang binary. The unique build ID of the Go compiled binary is shown below.
Upon executing the malware file, it attempts to identify if the file is running in a WINE environment by checking the wine_get_version() function via the theGetProcAddress() API.
Then, the malware creates a new folder with a random name at the %homepath% location, as shown in Figure7. The malware will use this newly created random folder to store stolen information such as passwords, crypto wallets, etc.
After this, the stealer starts extracting crypto wallet information by querying and reading files from the below-mentioned directories and saves them under a subfolder named “Wallets,” which is created inside the random folder in the %homepath% location.
Below is the list of crypto wallets accessed by the stealer:
- “\\AppData\\Roaming/Zcash/”
- “\\AppData\\Roaming/Armory/”
- “\\AppData\\Roaming/bytecoin/”
- “\\AppData\\Roaming\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\\”
- “\\AppData\\Roaming\\Ethereum\\keystore\\”
- “\\AppData\\Roaming\\Electrum\\wallets\\”
- “\\AppData\\Roaming\\atomic\\Local Storage\\leveldb\\”
- “\\AppData\\Roaming\\Guarda\\Local Storage\\leveldb\\”
- “\\AppData\\Roaming\\Coinomi\\Coinomi\\wallets\\”
- \\AppData\\Roaming\\Exodus\\Local Storage\\leveldb\\
The below figure shows that the malware accesses one of the crypto wallets named “Ethereum” to extract wallet information.
After extracting the cryptocurrency wallet details, the malware queries installed browser directories in the victim’s machine and searches for the below browser-related files stored in the “SQLite format 3”:
- Cookies
- Passwords
- History
- Autofill
- Shortcuts
- Bookmarks
After identifying the files, the malware creates new subfolders with the browser name under the previously created random folder (Refer to Figure 7) and stores the stolen files, as shown below.
Additionally, if the Telegram and Steam applications are installed on the victim’s machine, the stealer searches the config files and other session data files and stores them under “Telegram” and “Steam” folders, respectively.
The below image shows the malware accessing the Telegram Desktop directory to extract the config file details.
Then, the stealer grabs all text files from the “Desktop” folder and stores them under the “Grab Files” folder. It also takes a screenshot of the victim’s machine using the BitBlt() API function from the Gdi32.dll library and saves it with the name “WebStealer.png.”
The API function used by the stealer to take a screenshot of the victim’s machine is shown below.
The malware then starts processing the “SQLite format 3” browser-related files, extracts sensitive information, and stores it in a text file, as shown in Figure 12.
The malware specifically extracts the passwords from all browsers’ “Password” files and saves them to a new file, “Passwords.txt.”
The figure below shows how the stealer extracts the victim’s browser history from the SQLite format 3 file.
After collecting all the information, the stealer creates a ZIP archive out of the stolen files for exfiltration.
Initially, it converts the zip archive into Base64 format and then adds the below header information before the Base64-encoded text.
| PassworldX | No.of passwords collected |
| chatID | Chat ID |
| coockiesX | No.of cookies collected |
| Grabfiles | Status of files grabbed (Yes or No) |
| Tgstat | Status of Telegram data collected (Yes or No) |
| Wallets | Status of crypto wallet data collected (Yes or No) |
| Zipx | Base64 text of ZIP file which contains stolen data |
Then, the stealer sends the Base64-encoded ZIP file along with the count and status of the stolen data to the below URL:
- hxxp[:]//webStealer[.]ru/gate[.]php.
The below figure shows the code snippet used by the stealer for sending the stolen information to its C&C server (shown above).
The below figure shows the network communication of the malware’s data exfiltration.
After exfiltration, the stealer deletes all the collected files from the folder previously created by the malware using the DeleteFileW() API function, as shown below.
Conclusion
Loli Stealer is a relatively recent Infostealer strain. Though there are well-known and highly-used stealers in cybercrime marketplaces, TAs often choose to adopt new toolkits that help them update their Tactics, Techniques, and Procedures. Info Stealers are a growing concern as they assist TAs in gaining initial access, which can help them compromise corporate networks.
Cyble has observed several data breaches in high-profile organizations due to TAs gaining initial access through such malware. Organizations and individuals should thus continue to follow industry-standard cybersecurity practices to secure themselves and their firms.
Our Recommendations
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| 2Defense Evasion | T1497 T1027 | Virtualization/Sandbox Evasion Software Packing |
| Discovery | T1518 T1082 | File and Directory Discovery System Information Discovery |
| Credential Access | T1552 | Credentials In Files |
| Collection | T1005 T1560 T1113 | Data from Local System Archive Collected Data Screen Capture |
| CNC | T1071 | Application Layer Protocol |
Indicator Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 09e7df1b7af441df97311eb490cf6253 71542eba588e5500118a46e6918f6b19f9e69b66 595142ac0ecaf32e5cd9a477f440bac99b52dcc6c2fa083424d5007fdf0caeec | MD5 SHA1 Sha256 | DsMicrosoft_Launcher.exe |
| hxxp[:]//webStealer[.]ru/gate[.]php | URL | C&C |
