{"id":89223,"date":"2020-06-22T18:00:19","date_gmt":"2020-06-22T12:30:19","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=89223"},"modified":"2020-06-22T19:50:05","modified_gmt":"2020-06-22T14:20:05","slug":"poulight-info-stealer-might-teaching-play-minecraft","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/poulight-info-stealer-might-teaching-play-minecraft\/","title":{"rendered":"Poulight- An info-stealing trojan might be teaching you how to play Minecraft"},"content":{"rendered":"

Poulight is an info-stealer trojan which most probably originated in Russia. It is written in the .NET and can collect sensitive information and deliver it to cybercriminals. Ever since its first appearance, it has been growing substantially and taking different forms. The main Infection vector remains spear-phishing emails. It was sold in just a handful of dollars so that it was easily accessible to cybercriminals. Their website \u2018poullight[.]ru\u2019 called it \u2018Poulight Stealer\u2019 and boasted it as the best product on the internet.<\/p>\n

\"\"<\/p>\n

Fig1: Official Website of Poulight Stealer<\/h6>\n

Technical Analysis:<\/strong><\/p>\n

It begins with a doc file named \u201cMinecraft how to play guide.docm\u201d, which is a Microsoft word file. This file contains an image of the Minecraft game along with some abusive Russian text.<\/p>\n

\"\"<\/p>\n

Fig 2: Image of the Minecraft game in Microsoft word file.<\/h6>\n

This doc file contains macro, which is executed automatically if macros are enabled. The macro is simple and uses cmd.exe to further execute a PowerShell command to download an additional executable. This executable is saved as mess.exe and executed.<\/p>\n

\"\"<\/p>\n

Fig 3: Extracted macro<\/h6>\n

\"\"<\/p>\n

Fig 4: Network Capture of \u2018mess.exe\u2019 download<\/h6>\n

The \u2018mess.exe\u2019 is a loader for Poulight. It carries two more executable stored in \u2018RCDATA\u2019 resources. The names A1 and A2 in RCDATA contain .exe files and B1 and B2 contain the respective names of those executables.<\/p>\n

\"\"<\/p>\n

Fig 5: \u2018RCDATA\u2019 resource of \u2018mess.exe\u2019.<\/h6>\n

The \u2018mess.exe\u2019, upon execution, drops the executables present in RCDATA to the %tmp% folder and executes them using \u2018ShellExecuteA\u2019.<\/p>\n

\"\"<\/p>\n

Fig 6: Execution using \u2018ShellExecuteA\u2019<\/h6>\n

The two dropped executables into the %tmp% folder are \u2018fakerror.exe’ and \u2018injector (automatic).exe\u2019.<\/p>\n

Here is the complete process flow of Poulight Stealer.<\/p>\n

\"\"<\/p>\n

Fig 7: Process flow of Poulight Stealer<\/h6>\n

The fakerror.exe is a .NET executable and does exactly as the name implies. Its sole purpose is to fake an error message.<\/p>\n

\"\"<\/p>\n

Fig 8: Fake error message.<\/h6>\n

The fake message is in the Turkish language, as shown in the above figure. Relying on google translate, the message means \u2018The Program cannot be started. VM or Windows under update 10 detected\u2019.<\/p>\n

However, It is trying to disguise as if executable did not run when the other executable (\u2018injector(automatic).exe\u2019) was running successfully.<\/p>\n

The next executable \u2018injector(automatic).exe\u2019 is the actual Poulight Stealer. When injector(automatic).exe is run on the target system, one of the first things it does is to check whether it is running on an actual computer or a virtual machine. If a virtual machine activity is detected, the malware is terminated.<\/p>\n

\"\"<\/p>\n

Fig 9: Anti-VM Technique<\/h6>\n

The above function uses classic Windows Management Instrumentation (WMI) through the execution of the query \u201cSelect * from Win32_ComputerSystem\u201d.<\/p>\n

The following are the few checks that are used to detect Virtual Environment and Sandboxing.<\/p>\n

    \n
  • VIRTUAL<\/li>\n
  • vmware<\/li>\n
  • VirtualBox<\/li>\n
  • cmdvrt32.dll (Comodo sandbox)<\/li>\n
  • SxIn.dll (Avast sandbox)<\/li>\n
  • sbiedll.dll (Sandboxie)<\/li>\n
  • Sf2.dll (Avast Sandbox\u201d<\/li>\n
  • snxhk.dll (Avast sandbox)<\/li>\n<\/ul>\n

    \"\"<\/p>\n

    Fig 10: Main module wrapping malicious code<\/h6>\n

    Then the malware creates two random folders in \u2018C:\\Users\\<user>\\AppData\\Local\\<random-8-letters>\u2019 which are used later. Also, the path of folders like Desktop, AppData, Local AppData, and Documents is stored in class variables.<\/p>\n

    \"\"<\/p>\n

    Fig 11: Special Folder creation functions<\/h6>\n

    Then the configuration and parameters are read from the resources. Below is the code responsible for the reading of configuration and parameters. Parameters are store in an array for further use.<\/p>\n

    \"\"<\/p>\n

    Fig 12: Configuration and parameters export function<\/h6>\n

    Below is the figure of decoded configuration and parameters.<\/p>\n

    \"\"<\/p>\n

    Fig 13: Decoded configuration<\/h6>\n

    A check for the presence of a file in %tmp% directory is performed which indicates the pre-existence of the malware. This file is used as a mutex to prevent the re-infection of the same system on which it is already present. Subsequently, the prime function responsible for all information gathering and exfiltration is called. This function is named \u2018Start\u2019 which is present in the \u2018xs\u2019 class. The very first function inside this \u2018Start\u2019 is \u2018Information.AVDetect()\u2019 which is used for as name suggest, detecting any AV product installed. The system information is extracted from the registry. This information includes Username, Machinename, and Processor and Video Controller which can be used for the identification of virtual machines.<\/p>\n

    \"\"<\/p>\n

    Fig 14: Function for retrieving the configuration of the victim machine<\/h6>\n

    This gathered information is stored in one of the two folders generated in Local AppData in a file named \u2018PC-Information.txt\u2019. A list of all running processes is also stored in the same directory in a file named \u2018ProcessList.txt\u2019.<\/p>\n

    \"\"<\/p>\n

    Fig 15: Function for retrieving the configuration of the victim machine<\/h6>\n

    After gathering of system info, now it starts stealing of sensitive data from various programs actively. Below is the list of capabilities of malware to steal data from infected systems.<\/p>\n

      \n
    • Desktop Capture<\/li>\n
    • Webcam Capture<\/li>\n
    • Sensitive Documents<\/li>\n
    • Filezilla Credentials<\/li>\n
    • Social media apps Info<\/li>\n
    • CryptoCurrencies Info<\/li>\n
    • Browser info<\/li>\n
    • Clipboard data<\/li>\n<\/ul>\n

      \"\"<\/p>\n

      Fig 16: All functions responsible for stealing sensitive data<\/h6>\n

      The DesktopImg.Start() function takes a screenshot of active desktop on system. Webcam.start() captures a webcam picture.<\/p>\n

      \"\"<\/p>\n

      Fig 17: Function for taking a screenshot of the active desktop on the victim machine<\/h6>\n

      The DFiles class is interesting as it carries the extension list of sensitive documents to steal data.<\/p>\n

      \"\"<\/p>\n

      Fig 18: Function for searching the files with the specific extensions<\/h6>\n

      Files collected having these extensions are searched for common words for storing credentials like password and login.<\/p>\n

      \"\"<\/p>\n

      Fig 19: List of common words searched inside the documents<\/h6>\n

      The search() function hunts all browsers and there login data paths using string_0() and BrowList2() functions.<\/p>\n

      \"\"<\/p>\n

      Fig 20: function for hunting all browsers and there login data paths<\/h6>\n

      \"\"<\/p>\n

      Fig 21: Functions containing all browsers and there login data paths<\/h6>\n

      All the scraped information is stored inside of the previous Local AppData directory. Below is the massive amount of sensitive data that the stealer has captured.<\/p>\n

      \"\"<\/p>\n

      Fig 22: Folder containing all stolen data<\/h6>\n

      All this information is zipped together in a new file in the AppData roaming directory.<\/p>\n

      \"\"<\/p>\n

      Fig 23: Path for zipped information<\/h6>\n

      This zip file along with the other collected information is stored in a unique data structure.<\/p>\n

      This collected data is then uploaded to URL \u2018https:\/\/f0429164[.]xsph.run\/Panel\/gate.php\u2019.<\/p>\n

      \"\"<\/p>\n

      Fig 24: Function to upload to the URL the stolen information<\/h6>\n

      After successful uploading of data, there is a provision to download an additional payload from the below URL \u2018https:\/\/ru-uid-507352920[.]pp.ru\/example.exe\u2019. It can also be used for the self-update.<\/p>\n

      \"\"<\/p>\n

      Fig 25: Additional payload used for the self-update<\/h6>\n

      Quick Heal detects all the malicious components of this malware. The main \u2018injector(automatic).exe\u2019 i.e poulight.exe detected as \u201cTrojan.Stealer.S12567177\u201d.<\/p>\n

      \"\"<\/p>\n

      Fig 26: Detection of injector(automatic).exe (poulight.exe )<\/h6>\n

       <\/p>\n

       <\/p>\n

      \n
      \n
      \n
      \n
      \n
      \n
      Poulight stealer has an unimaginable ability to steal sensitive information. Infostealer market is one of the most gainful for cybercriminals. Information collected from infected systems could be resold in the cybercrime underground or used for the credential filling attack. In the future, it has the potential to become a sophisticated and infamous stealer looking at the rate of growth. However, for now, it lacks the obfuscation and any novelty in its code. No matter which road it takes, we will be monitoring it.<\/div>\n<\/div>\n
      \n

      IOCs:<\/strong><\/p>\n

      Filename:<\/strong> minecraft how to play guide.docm\u00a0 MD5:<\/strong> 7FBC52BB2BCE064A51D671C8CA20FB1E<\/p>\n

      Filename:<\/strong> injector(automatic).exe (Poulight.exe) MD5<\/strong>: 8E855BCB97E9D1DCB2C79C580DCA7F2D<\/p>\n

      Filename:<\/strong> Mess.exe (ET3.exe) MD5:<\/strong> 58386adaea3b5e737144388e6607d8a5<\/p>\n

      Filename:<\/strong> fakerror.exe\u00a0MD5<\/strong>: 3F4BC3D0287D911603691767C5D372FA<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

      \u200b<\/div>\n
      \n
      \n
      \n
      \n
      \n
      Subject Matter Expert <\/strong><\/div>\n
      Akshay Gaikwad | Rahul Sharma | Quick Heal Security Labs<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

      Poulight is an info-stealer trojan which most probably originated in Russia. It is written in the .NET and can collect sensitive information and deliver it to cybercriminals. Ever since its first appearance, it has been growing substantially and taking different forms. The main Infection vector remains spear-phishing emails. It was sold in just a handful […]<\/p>\n","protected":false},"author":80,"featured_media":89251,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-89223","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89223"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/80"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89223"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89223\/revisions"}],"predecessor-version":[{"id":89255,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89223\/revisions\/89255"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/89251"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}