The publications are suspended, except for particular events, from 1 to 21 August. In the meantime, we are preparing some news for the second half of the year.
Yoroi ZLab: cybercrime is spreading a new info-stealer dubbed Poulight: he malware is a .NET executable with likely Russian origin, it has advanced stealing capabilities and continues to evolve
Cybercrime is spreading a new info-stealer dubbed Poulight. It has been denounced by Yoroi ZLab cyber security experts, who monitored the evolution and the diffusion of the malware, that most likely has a Russian origin. The malicious code was first spotted by MalwareBytes researchers in middle March and indicators of compromise have been already shared among the security community. It has advanced stealing capabilities and continues to evolve. Like most of the malware of this specific family, it is generated from a builder available to cyber criminal groups that offer a subscription plan for its “product”. The result is a .NET executable. A peculiarity of this sample is that it does not have a minimal sign of obfuscation. When it’s launched, it performs a classical evasion technique (through the usage of Windows Management Instrumentation, WMI, by executing the query “Select * from Win32_ComputerSystem”).
How the malware works according to the cyber security experts
According to the cyber security experts, the Poulight infection start with a new threat called “Starter”. It contains the routine to load the components of the malware. Before that, there is the inizalitation of some directories and files used to store the gathered information from the victim machine. After that, the info-stealer extracts the configuration file and its parameters from the resource named “String0”. It is a Base64 encoded string. The malicious code also tries to find the id of the mutex, declared inside the relative tag seen in code snippet 2, inside the “%TEMP%” folder. If the file is present, it does not execute itself another time, otherwise it writes this empty file to sign the infection is started. The first instruction is “Information.Start()” where all the information about host hardware and software is collected.It uses both English and Russian languages to log the information gathered.
Which are the information that Poulight steals for cybercrime
Poulight then turns to enumerate and log all the active processes inside the operative system. Furthermore, it performs a check on the third parameter. If it is equal to one, the “clipper” module is executed. The next step is to gathered all the sensitive information on the victim machine. The cybercrime info-stealer steal a huge amount of data: Desktop Snapshot, Sensitive Documents, Webcam snapshot, Filezilla credentials, Pidgin credentials, Discord Credentials, Telegram, Skype, Steam, Cryptocurrencies, and Chrome chronology. Inside of the collected files, the malware looks for the classic keywords indicating that the content of the files conserve some useful credentials. Then it collect all the information inside an unique data structure and send it to the C2.