Poulight is an info-stealer trojan which most probably originated in Russia. It is written in the .NET and can collect sensitive information and deliver it to cybercriminals. Ever since its first appearance, it has been growing substantially and taking different forms. The main Infection vector remains spear-phishing emails. It was sold in just a handful of dollars so that it was easily accessible to cybercriminals. Their website ‘poullight[.]ru’ called it ‘Poulight Stealer’ and boasted it as the best product on the internet.
Fig1: Official Website of Poulight Stealer
It begins with a doc file named “Minecraft how to play guide.docm”, which is a Microsoft word file. This file contains an image of the Minecraft game along with some abusive Russian text.
Fig 2: Image of the Minecraft game in Microsoft word file.
This doc file contains macro, which is executed automatically if macros are enabled. The macro is simple and uses cmd.exe to further execute a PowerShell command to download an additional executable. This executable is saved as mess.exe and executed.
Fig 3: Extracted macro
Fig 4: Network Capture of ‘mess.exe’ download
The ‘mess.exe’ is a loader for Poulight. It carries two more executable stored in ‘RCDATA’ resources. The names A1 and A2 in RCDATA contain .exe files and B1 and B2 contain the respective names of those executables.
Fig 5: ‘RCDATA’ resource of ‘mess.exe’.
The ‘mess.exe’, upon execution, drops the executables present in RCDATA to the %tmp% folder and executes them using ‘ShellExecuteA’.
Fig 6: Execution using ‘ShellExecuteA’
The two dropped executables into the %tmp% folder are ‘fakerror.exe’ and ‘injector (automatic).exe’.
Here is the complete process flow of Poulight Stealer.
Fig 7: Process flow of Poulight Stealer
The fakerror.exe is a .NET executable and does exactly as the name implies. Its sole purpose is to fake an error message.
Fig 8: Fake error message.
The fake message is in the Turkish language, as shown in the above figure. Relying on google translate, the message means ‘The Program cannot be started. VM or Windows under update 10 detected’.
However, It is trying to disguise as if executable did not run when the other executable (‘injector(automatic).exe’) was running successfully.
The next executable ‘injector(automatic).exe’ is the actual Poulight Stealer. When injector(automatic).exe is run on the target system, one of the first things it does is to check whether it is running on an actual computer or a virtual machine. If a virtual machine activity is detected, the malware is terminated.
Fig 9: Anti-VM Technique
The above function uses classic Windows Management Instrumentation (WMI) through the execution of the query “Select * from Win32_ComputerSystem”.
The following are the few checks that are used to detect Virtual Environment and Sandboxing.
- cmdvrt32.dll (Comodo sandbox)
- SxIn.dll (Avast sandbox)
- sbiedll.dll (Sandboxie)
- Sf2.dll (Avast Sandbox”
- snxhk.dll (Avast sandbox)
Fig 10: Main module wrapping malicious code
Then the malware creates two random folders in ‘C:\Users\<user>\AppData\Local\<random-8-letters>’ which are used later. Also, the path of folders like Desktop, AppData, Local AppData, and Documents is stored in class variables.
Fig 11: Special Folder creation functions
Then the configuration and parameters are read from the resources. Below is the code responsible for the reading of configuration and parameters. Parameters are store in an array for further use.
Fig 12: Configuration and parameters export function
Below is the figure of decoded configuration and parameters.
Fig 13: Decoded configuration
A check for the presence of a file in %tmp% directory is performed which indicates the pre-existence of the malware. This file is used as a mutex to prevent the re-infection of the same system on which it is already present. Subsequently, the prime function responsible for all information gathering and exfiltration is called. This function is named ‘Start’ which is present in the ‘xs’ class. The very first function inside this ‘Start’ is ‘Information.AVDetect()’ which is used for as name suggest, detecting any AV product installed. The system information is extracted from the registry. This information includes Username, Machinename, and Processor and Video Controller which can be used for the identification of virtual machines.
Fig 14: Function for retrieving the configuration of the victim machine
This gathered information is stored in one of the two folders generated in Local AppData in a file named ‘PC-Information.txt’. A list of all running processes is also stored in the same directory in a file named ‘ProcessList.txt’.
Fig 15: Function for retrieving the configuration of the victim machine
After gathering of system info, now it starts stealing of sensitive data from various programs actively. Below is the list of capabilities of malware to steal data from infected systems.
- Desktop Capture
- Webcam Capture
- Sensitive Documents
- Filezilla Credentials
- Social media apps Info
- CryptoCurrencies Info
- Browser info
- Clipboard data
Fig 16: All functions responsible for stealing sensitive data
The DesktopImg.Start() function takes a screenshot of active desktop on system. Webcam.start() captures a webcam picture.
Fig 17: Function for taking a screenshot of the active desktop on the victim machine
The DFiles class is interesting as it carries the extension list of sensitive documents to steal data.
Fig 18: Function for searching the files with the specific extensions
Files collected having these extensions are searched for common words for storing credentials like password and login.
Fig 19: List of common words searched inside the documents
The search() function hunts all browsers and there login data paths using string_0() and BrowList2() functions.
Fig 20: function for hunting all browsers and there login data paths
Fig 21: Functions containing all browsers and there login data paths
All the scraped information is stored inside of the previous Local AppData directory. Below is the massive amount of sensitive data that the stealer has captured.
Fig 22: Folder containing all stolen data
All this information is zipped together in a new file in the AppData roaming directory.
Fig 23: Path for zipped information
This zip file along with the other collected information is stored in a unique data structure.
This collected data is then uploaded to URL ‘http://f0429164[.]xsph.run/Panel/gate.php’.
Fig 24: Function to upload to the URL the stolen information
After successful uploading of data, there is a provision to download an additional payload from the below URL ‘http://ru-uid-507352920[.]pp.ru/example.exe’. It can also be used for the self-update.
Fig 25: Additional payload used for the self-update
Quick Heal detects all the malicious components of this malware. The main ‘injector(automatic).exe’ i.e poulight.exe detected as “Trojan.Stealer.S12567177”.
Fig 26: Detection of injector(automatic).exe (poulight.exe )
Filename: minecraft how to play guide.docm MD5: 7FBC52BB2BCE064A51D671C8CA20FB1E
Filename: injector(automatic).exe (Poulight.exe) MD5: 8E855BCB97E9D1DCB2C79C580DCA7F2D
Filename: Mess.exe (ET3.exe) MD5: 58386adaea3b5e737144388e6607d8a5
Filename: fakerror.exe MD5: 3F4BC3D0287D911603691767C5D372FA