Poulight Stealer, a new Comprehensive Stealer from Russia

Researchers from Cybaze-Yoroi ZLab monitored the evolution and the diffusion of an infostealer dubbed Poulight that most likely has a Russian origin.

Introduction

Nowadays, info-stealer is one of the most common threats. This category of malware includes famous malware like Azorult, Agent Tesla, and Hawkeye. Infostealer market is one of the most remunerative for cyber criminals, information gathered from infected systems could be resold in the cybercrime underground or used for credential stuffing attacks.

Over the last two months, we monitored the evolution and the diffusion of an infostealer dubbed by the authors Poulight that most likely has a Russian origin.

Figure 1: C2 Panel of the Poulight infostealer

Poulight was first spotted by MalwareBytes researchers in middle March and indicators of compromise have been already shared among  the security community. The malicious code has advanced stealing capabilities and continues to evolve.

Technical Analysis

Table 1. Sample information

Like most of the malware of this specific family, it is generated from a builder available to cyber criminal groups that offer a subscription plan for its “product”. The result is a .NET executable:

Figure 2: Static information about the binary file

A peculiarity of this sample is that it does not have a minimal sign of obfuscation, the analysis is quite easy, so describe the malware capabilities. When the malware is launched, it performs a classical evasion technique (as shown in Fig.3):

Figure 3: Evasion Technique

The implemented evasion technique is one of the most classic ones, where, through the usage of Windows Management Instrumentation (WMI) by executing the query “Select * from Win32_ComputerSystem”. In particular, in this way, some checks of the most relevant tracks of virtualization are provided, like:

• “vmware”
• “VIRTUAL” 
• “VirtualBox”
• “sbiedll.dll” (Sandboxie)
• “snxhk.dll” (Avast sandbox)
• “SxIn.dll” (Avast sandbox)
• “Sf2.dll” (Avast Sandbox”

These checks are also listed from the Al-Khaser or Pafish tools which are intended to be a test suite to detect malware analysis environments and designed to test the strength of the sandboxes.

Then, the malware is able to proceed with the infection starting a new threat called “Starter”.

Figure 4: Loader module of the malware

The “Starter” class contains the routine to load the components of the malware. Before that, there is the inizalitation of some directories and files used to store the gathered information from the victim machine. This action is performed by the first instruction “global::Buffer.Start()”. The method is quite simple: a series of folders were created inside Windows Special folders (AppData, Local AppData, Personal, Desktop) in this way:

Figure 5: Creation of folders in the Windows Special Folders

After that, the malware extracts the configuration file and its parameters from the resource named “String0”. It is a Base64 encoded string and through the following method are then decoded:

Figure 6: Routine to extract the configuration file

Instead, the content of the configuration file is shown in below figure:

Code snippet 1

Decoding the Base64 string we obtain a list parameters coming from the builder. The result is:

Code snippet 2

The first information tag “prog.params” is immediately retrieved in the instruction “HandlerParams.Start()” seen in Figure 4. Now, a check of a previous infection is performed before starting a new one. The instruction “AntiReplaySender.CheckReplayStart()” (in figure 4) is delegated to do that. 

Figure 7: Check of a previous infection

The malware tries to find the id of the mutex, declared inside the relative tag seen in code snippet 2, inside the “%TEMP%” folder. If the file is present, the malware does not execute itself another time, otherwise it writes this empty file to sign the infection is started. After that, we turn into the actual malicious main contained inside the “XS” class , as seen in the figure 4. The first piece of the code is the following: 

Figure 8: Initialization of the mail module

The first instruction is “Information.Start()” where all the information about the hardware and software of the host is collected in this way:

Figure 9: Routine for retrieving the configuration of the victim machine

We can notice that the malware uses both English and Russian languages to log the information gathered. After that, the stealer turns to enumerate and log all the active processes inside the operative system.

Figure 10: Routine to extract the process list

Now, as seen in the figure 8, a check on the third parameter is performed. If it is equal to one, the “clipper” module is executed.

Figure 11: Routine to decrypt and execute an embedded component

As show in the above figure, this code is able to decrypt a component contained inside the “clbase” tag with the AES key stored inside the “cpdata” tag. However, in the specific configuration there is no “clbase” field, so we don’t have any other component to install. The last instruction seen in Figure 8 is “CBoard.Start”, which works in the following way:

Figure 12: Routine to steal the clipboard data

The next step is to gathered all the sensitive information on the victim machine:

Figure 14: Stat of the stealing modules

The malware steal a huge amount of data:

• Desktop Snapshot
• Sensitive Documents
• Webcam snapshot
• Filezilla credentials
• Pidgin credentials
• Discord Credentials
• Telegram
• Skype 
• Steam
• Crypto Currencies
• Chrome chronology

The most interesting part is the module “DFiles” instructed to steal the sensitive documents. It starts with searching files with one of the following extensions:

Figure 15: Routine for search the files with the specific extensions

Inside of the collected files, the malware looks for the classic keywords indicating that the content of the files conserve some useful credentials. The keywords are the following:   

Figure 16: List of keywords searched inside the documents 

Then the malware collect all the information inside an unique data structure and send it to the C2 retrieved in another resource named “connect”:

Figure 17: Routine to upload to the C2 the stolen information

In the end, it downloads and executes other components from the Internet. The parameters are retrieved in the same way seen in the previous section: a tag named “ulfile” contains the component to download.

Figure 18: Routine to download other components from Internet

Conclusion

Poulight stealer has an incredible potential to steal sensitive information. It is not excluded that in the future it might replace other info stealers like Agent Tesla, remcos ecc. However, the limitation of the implant is the lack of code obfuscation and data protection, but this could be explained due the fact that, maybe, the malware is in the early stages of development. The crooks probably will enhance these features, but at the same time, we’ll continue to keep track of them!

Additional technical details, including Indicators of Compromise (IoCs) and Yara rules, are available here:

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

Pierluigi Paganini

(SecurityAffairs – Facebook, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On