CyberWire Daily - Exploring the mechanics of Infostealer malware. [Research Saturday]
Episode Date: June 15, 2024This week, we are joined by a Security Researcher from SpyCloud Labs, James, who is discussing their work on "Unpacking Infostealer Malware: What we’ve learned from reverse engineering LummaC2 and A...tomic macOS Stealer." Infostealer malware has become highly prevalent, with SpyCloud tracking over 50 families and finding that 1 in 5 digital identities are at risk. This research analyzes the workings and intentions behind infostealers like LummaC2 and Atomic macOS Stealer, focusing on the types of data extracted and the broader security implications. The research can be found here: Reversing LummaC2 4.0: Updates, Bug Fixes Reversing Atomic macOS Stealer: Binaries, Backdoors & Browser Theft How the Threat Actors at SpaxMedia Distribute Malware Globally Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
And now a word from our sponsor, SpyCloud, the leader in operationalizing cybercrime analytics.
Traditional threat intelligence is a thing of the past.
Cyber criminals are stealing vast amounts of credentials, session cookies,
and financial data every day,
and it's hard to keep up.
SpyCloud is the trusted partner
businesses turn to to fully understand
their darknet exposure risk
and neutralize threats before it's too late.
SpyCloud alerts your organization
as soon as an employee or customer's data
appears on the darknet,
so you can act faster than bad actors to prevent cyber attacks like ransomware,
session hijacking, account takeover, and online fraud. With insights from the industry's largest
repository of recaptured data, protect the digital identities and systems most important
to your business. Get your free corporate dark net exposure report at spycloud.com slash cyberwire and see what
information criminals have in their hands today.
That's spycloud.com slash cyberwire.
Thank you. hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Today I'm speaking with a security researcher from SpyCloud Labs, who prefers we simply call them James. We're discussing unpacking InfoStealer malware,
what we've learned from reverse engineering Luma C2
and Atomic macOS Stealer.
I mean, so the name kind of gives it away a little bit.
The full name of the Stealer is InfoStealer Information Stealer,
and their entire purpose is to steal information. They attempt to infect a
victim, and once they're on a victim system, they will steal credentials. They will steal files that
exist on the system that might be interesting to the malware author or person running the malware.
They'll also steal emails. If you have emails on your system, they will steal two-factor authentication secrets,
which is also technically still a file. In the case of
Atomic Stealer, they'll steal your keychain, which has all of your passwords
on it, or in it. Their entire goal is
to get onto your system and steal everything that would be interesting to somebody
who is running the malware.
And then once they're there,
they will exfiltrate that information
and send it to the malware author.
Some InfoStealers will also then load additional malware.
Like AtomicStealer has the ability to load
a Trojanized or an infected Ledger Live application.
And this Ledger Live application, which is a wallet, a crypto wallet.
So this infected crypto wallet will actually steal your seed phrases.
If you have Ledger Live and you're infected with this,
it'll steal your seed phrase when you put it in,
which is very important for managing crypto coins.
Other malware like Luma has the ability to just load whatever malware
the people who are running the malware specifies,
which is actually a very common feature of InfoStealers.
They will act kind of as a loader malware.
But yes, that's kind of just a high-level rundown of InfoStealers.
Well, I mean, for these two that we're talking about today, Luma and Atomic on macOS,
what was it that brought these to your attention?
Here, we're at SpyCon, we get a lot of logs from malware.
And we see a lot of Luma and we see a lot of Atomic Stealer.
And so we were very interested in looking at these malware families to see if we could
determine how these families behave so that defenders
can better protect against them so that maybe we can hopefully see a little bit less logs.
Well, let's dig in together. Do we want to go
through both of them as a group or does it make sense to do them one at a time?
Either or. We could do both as a group.
One at a time also works, because
one is macOS and one is Windows.
Okay. Well, let's go
through them one at a time here.
Why don't we start on the macOS
side here. Tell me about
Atomic.
It's pretty interesting, because
at least when I
was first getting started in computers, you always heard the claim, like, you would never get a malware or a virus on an Apple device, which was like a very old claim.
But Atomic Stealer is malware designed for macOS.
means that the authors who write Atomic Stealer sell Atomic Stealer, like access to the Atomic Stealer malware panel to anybody who wants to purchase it for a monthly fee. They sell it for
a very hefty fee of between $500 and $1,000 per month, which is pretty expensive for malware.
But this gives people who want to run Atomic Stealer access to the panel and they can create builds of Atomic
Stealer, which is essentially the generated malware that they can then infect victims with.
The authors who make Atomic Stealer might be running Atomic Stealer. They're not the only
people running Atomic Stealer. There's lots and lots and lots of people running Atomic Stealer.
And so when we found Atomic Stealer, we were looking at something that we call cybercrime enablement services, which is like pay-per-install networks like Spax Media or Install Bank, which we covered in a different blog. insert like download if you've ever if you've ever possibly downloaded um like a mod for um
a game or uh crack software i know we're not supposed to download crack software but
uh or free software on a website and you've seen those download buttons on those websites um i can
confirm that those download buttons are 100% malicious. They result in various different kinds of malware,
but if you're running Mac almost 100% of the time,
it is Atomic Stealer.
But so when we were looking at the cybercrime enablement services,
we found Atomic Stealer samples,
and so we started looking at those Atomic Stealer samples
to figure out how Atomic Stealer functions
so that defenders could so the
defenders could like better protect their environments and looking at atomic stealer was
like super interesting um because we were able to find samples like that were very old and then
samples that were very new and atomic stealer is one of the only mauer i don't want to say one of
the only mauer's families that's ever done this but it's one of the few families that I've ever looked at that I would say has ever gone backwards in its development cycle.
When I was looking at, we actually mentioned this in the blog, but when I was looking at
Atomic Stealer, when they did their exfiltration in older samples, they had a very sneaky method
where they would generate a zip file in memory and then exfiltrate without ever writing
anything to the disk. And that's very sneaky because it makes it very hard for defenders
to identify that. However, in newer versions of Atomic Stealer, they write everything to the disk
and makes it very easy for defenders to identify it. I've never seen a malware go backwards in
developing cycles like that,
but
it was just a very interesting
development. As we noted on our
write-up, though, we think that maybe Apple
internal security might have had
a detection for writing
a zip in memory, so that might have been
why they went backwards.
It was just very interesting in their
development cycles that they
essentially went backwards
in their development.
But as to how Atomic Stealer
actually functions, it steals
a variety of
browsers, it steals a variety of crypto
wallets, it has a very large
list of extensions, and
there's more than 50 extensions in this list of extensions that it steals from.
What's most noteworthy to you in terms of the things that it'll target?
Most of these are crypto wallets.
A large portion of these are crypto wallets.
So it's really looking for crypto wallets to steal crypto coins from.
I see. That seems to be what it is
solely focusing on.
I see
MetaMask, I see
Tron Wallet,
I see Starcoin, I see a ton
of crypto wallets.
It has a file grabber,
which is very typical for
interest dealers, but for this one, it only
targets a very select few amount of files.
It targets PXT files, document files, RTF files, wallet files,
and anything that has a.key or.keys file.
So if you're storing your passwords on your computer in raw text,
which you never should be doing, don't store it as.key or.keys files.
So in terms of the functionality here on the Mac side,
I mean, how does it go about staying stealthy
and avoiding detection?
To be honest, in my opinion, it seems very loud.
Like when it makes its exfiltration folder,
it writes all of the files to disk.
So when I have done threat hunting, I've only done threat hunting in Windows environments.
So I don't know what Mac detection environments look like.
So I don't know if this is...
From a Windows detection perspective, this looks like very loud behavior to me.
But from a Mac detection perspective, this looks like very loud behavior to me. But from a Mac detection perspective, this could be very hard behavior to detect.
I just don't know what it looks like from that perspective.
Yeah, that's fair.
Well, let's switch over to Luma then.
I mean, what's going on on that side of things?
So Luma is very interesting.
going on on that side of things?
So Luma is very interesting.
Like a lot of other Windows malware,
it has a dynamic config, which is
something that Atomic Stealer did not have.
But so Luma, like a lot of other
Windows families,
has a dynamic config, which
is something that actually impressed me, was how
dynamic their config was.
Luma works very similarly to all other Steelers
in that they steal browsers, they steal
extensions, they steal files. But what's also
interesting is that Luma has hard-coded email theft,
but you can also specify additional email theft
in their modular config, which is very interesting to me because you can steal pretty much any email client that exists on a system with Luma.
theft, they are able to actually steal Authy's two-factor authentication secrets,
which was another interesting inclusion, because for a while
we saw them attempting to steal Authy's authentication secrets, but not
actually succeeding in it. So it shows that they are
not only are they developing their malware, but they're also testing their malware and environments
and actively trying to make their malware better.
And it shows that their development team is pretty advanced.
But yeah, they also have a couple of interesting features
in their configuration too,
such as the ability to change whether or not it takes a screenshot
and to change whether or not it deletes itself from the computer
and to change whether or not it does a language check
which I would think that you would want the language check to be on every single time
because the language check checks to make sure whether or not it can run in Russia, Uzbekistan, or Azerbaijani.
Like anything in those language sets
or the three language sets that it can't run in.
So you'd think that would want to be on every single time,
but you can actually disable it within their config.
And now a word from our sponsor, SpyCloud,
the leader in operationalizing cybercrime analytics.
Traditional threat intelligence is a thing of the past.
Cyber criminals are stealing vast amounts of credentials, session cookies, and financial data every day, and it's hard to keep up.
SpyCloud is the trusted partner businesses turn to to fully understand their darknet exposure risk
and neutralize threats before it's too late. Spy Cloud alerts your organization as soon as an
employee or customer's data appears on the darknet, so you can act faster than bad actors to prevent
cyber attacks like ransomware, session hijacking, account takeover, and online fraud. With insights from the industry's largest repository of recaptured data,
protect the digital identities and systems most important to your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire
and see what information criminals have in their hands today.
That's spycloud.com slash cyberwire.
It's interesting to me that users of these,
the people who are paying this monthly fee,
it seems to me like they can really dial in
depending on what they're interested in.
You know, like you pointed out,
Atomic seems to be focused on crypto.
But if I were someone who was interested in,
you know, email compromise,
I could be dialing these in to help me with that.
You know, it's like a Swiss army knife I could be dialing these in to help me with that.
It's like a Swiss Army knife for whatever information you want to access on someone's system.
Is that an accurate perception on my part? Yeah, that's a very accurate perception, especially with Luma C2.
And really any InfraStealer that has dynamic configuration modification.
any InfoStealer that has dynamic configuration
modification because it allows
and that is a lot
of stealers.
Luma is not like a
I don't want to highlight Luma as
a unique stealer that everybody should
purchase. A lot of InfoStealers
these days have dynamic
config creation where
people who are purchasing the InfoStealers
can modify what they particularly
want to steal so that it's custom for them so that they're not just getting like say that they're
targeting like a government worker and the government worker is not going to have a crypto
wallet they're not going to have they're not going to have like steam they're not going to have
telegram but they are going to have email they are going to have these very particular document files that they want to target. They can customize the config to only look for those
particular things and ignore everything else so that it's not wasting computer cycles looking for
these documents and these files that don't exist. Because if you're wasting computer cycles, you're
going to get detected earlier. Mm-hmm. Mm-hmm.
In terms of organizations best protecting themselves against this,
what are your recommendations?
I mean, obviously, we said earlier, don't download cracked software.
But beyond that, what are best practices here?
It's hard because it comes from a lot of different sources. Because there's the email side to worry about.
You have to worry about phishing.
You have to worry about crack source software.
So it requires more than just one solution fixes all.
I think it requires user education.
And it's not just user education at work.
User education at your job.
Because what we've learned is that a lot of compromises at work, like user education at your job. Because what we've learned is that a lot of
compromises at work environments end up taking place with people's personal devices. So I think
that there needs to be, I know there's already a ton of user education, but like more thorough
user education about like, hey, if you are working at, say that you're working at like a financial
job, you have now taken on the risks of the financial job in your personal life.
You could be targeted in your personal life more heavily
than somebody who is working at a non-financial institution.
Because financial institutions are targeted heavily.
Those are very good targets for cybercriminals.
And so I think that there's not going to be a very simple solution,
but more education on identifying threats,
identifying what a suspicious download looks like,
making sure that people stay updated, of course,
like update on updates and software so that you can't have compromises. But unfortunately, there's
not just a simple solution. One solution fits all, but I
wish there was. Yeah. I mean, are these the types of things that typically
antivirus would detect? Sometimes they do get detected
by antivirus, especially if somebody's
running an older version of the malware.
But because these are malware
as a service providers, one of their
business goals is to provide malware
that is clean and can't be detected
by antivirus.
So they are
actively working to make sure that their
malware is not detected. So you can't always
rely on antivirus to detect the malware,
especially if it's a very fresh build.
Every so often, people will slip through.
What about persistence here?
I mean, are they trying to kind of get in and out with a quick hit,
or are they working hard to stay on that system?
It's very much an in and out with a quick hit.
Atomic Stealer does not do any form of persistence.
Luma has, as far as I've seen,
Luma doesn't really have persistence.
Luma has the option to not delete itself,
but the persistence is based on the installation,
so how it was installed.
So if it was installed by something
that didn't install persistence,
then it's not
going to have any persistence. So a lot of these are just what I have seen are just smash and grab,
like the person installs something, it steals it, and then it's gone. Yeah. You know, I'm curious,
before I let you go, for you and your colleagues there at SpyCloud, when you take on the task of
reverse engineering something like this, could you kind of walk us through
that process? I think a lot of our listeners would be interested to hear
how you approach something like this.
So I have kind of a different approach than a lot of different analysts
because I do static analysis
and reverse engineering in a debugger and a disassembler,
whereas a lot of analysts might use a sandbox.
So if I can do the analysis without having to use a debugger,
I'll just use the disassembler.
I'm pretty adept with reading assembly.
I actually prefer it over decompilation into C.
So I'll just throw the binary into my disassembler
and I'll read it in assembly and I analyze it that way,
which I've been told is a unique way of analyzing.
I would consider it a bit of a superpower.
I would consider it a bit of a superpower but for other samples
if it has like obfuscation
or if the strings are encrypted or something like that
I'll have the sample in a debugger
and then I'll have the sample in the disassembler
and I'll step through it in the debugger and in the disassembler
and that's the same for Windows, that's the same for Mac
for Mac it took a little bit to get my
analysis environment set up
because Mac does not
really want you analyzing
malware, at least
not on a non-Mac system. So I had to
figure out how to set it up.
But once you get
everything set up, it works the same.
There's unfortunately not as many
debuggers for Mac as there are
for Windows, but that's just because
not a whole lot of people do
reverse engineering on Mac, but I used
Hopper and it worked really well.
So plus one
to Hopper. IDA also works on
Mac, of course, but it's very expensive.
But, you know.
So help me understand
the scale of this.
I mean, how this compares to some of the other problems
that we have out there.
Where does this rate in the universe of malware
that we need to consider?
Looking at our data and looking at the logs
that we have collected
and also just looking at stats that we have collected
over time from
different malware families, we see
large amounts of
infections daily from sources
that aren't email,
that are just users
clicking on crack software, users
clicking on mod links,
somebody's looking for
VSTs for their
audio software and they accidentally download something malicious.
And these are astronomical numbers.
I'm talking like hundreds of thousands of infections per day was one of the families that I saw that was pulling those numbers.
And so these are large threats to the average user.
And the average user also works for corporate companies.
Everything that targets the average user also ends up hitting everybody.
If you work for government, if you work for a company, if you work for a mom-and-pop shop,
you're going to get hit in these very large spray attacks.
And the cybercriminals are very good at monetizing what they end up getting from these.
So they know how to capitalize off of a.gov email address.
They know how to capitalize off of somebody who works at a big company who has access to lots of VPN connections.
They know how to turn those connections into actual money.
And so it's very dangerous to just not be aware of these campaigns and to just be focused on email or just be focused on one form of phishing,
I think holistic training of all the kinds of threats that are available
will be very helpful towards everybody to protecting against these.
Yeah. Don't underestimate these, I guess, right?
Yeah.
Keep them on your radar.
Our thanks to James from SpyCloud Labs for joining us.
The research is titled Unpacking InfoStealer Malware.
What we've learned from reverse engineering Luma C2 and atomic Mac OS Steeler.
You can find a link and additional resources in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's Research Saturday brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private
sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher. And I'm Dave B executive editor is Brandon Karp. Simone Petrella is our president. Peter
Kilpie is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here
next time.
Thank you.