Luca Stealer Spreads Via a Phishing Microsoft Crypto Wallet Site

Microsoft Crypto Wallet Scam Spreads Luca Stealer
A new phishing campaign targeting cryptocurrency users

With the ever-increasing number of cyber threats, hackers and cybersecurity specialists are taking the initiative. This time, cybercriminals went ahead of the curve. They created a phishing website to coincide with the news that Microsoft was developing a crypto wallet exclusively for its Edge browser. Such a scheme is used to spread Luca Stealer.

Microsoft Crypto Wallet Scam Spreads Luca Stealer

Not so long ago, news broke on the internet that Microsoft is working on creating a crypto wallet for its Edge browser. This news is sure to interest cryptocurrency users. But you know who else is interested in it? That’s right, cybercriminals. The resourceful guys immediately figured out what was happening and created a website that looked as much like Microsoft’s legitimate site as possible. Cybersecurity researchers came across this website and analyzed it. Unlike third-rate phishing sites, this one had a convincing appearance, a web address of hxxps[:]//microsoft-en[.]com/cryptowallet/, SSL certificates, and allknown logic. The website offers the user to download a beta version of the crypto wallet. However, instead of the claimed one, the user received malware.

Phishing website screenshot
Phishing website

Luca Stealer Analysis

In this case, the scammers are distributing Luca Stealer. Specialists identified it due to similarities in the malware code found and the Luca Stealer. However, Luca is open source, which users can find on platforms like GitHub or TOR. It is a relatively new stealer, written in Rust and first spotted in 2022. Its job is to collect valuable data such as crypto wallet details and other personal information. The following are the browsers, crypto wallets, and extensions this malware attacks.

Web browsers

CentBrowser Iridium Qip Surf Chrome Canary
Sleipnir 5 Vivaldi Elements Browser CocCoc Browser
Torch Opera Stable Brave Kometa
Edge CocMedia Google Chrome Mapple Studio
CozMedia ChromePlus Atom Chromium
UC Browser Opera GX WooGamble Opera
Dragon (Comodo Dragon) Chrome SxS 7star Sputnik
Epic Privacy Browser Chedot Uran Citrio
Orbitum Chrome

Browser extensions

1Password Avira Password Manaager BitApp Wallet BitClip
Bitwarden BinanceChain BrowserPass Byone
Clover Wallet Coin98 Coinbase Wallet CommonKey
Cyano Wallet Cyano Wallet Pro DAppPlay Dashlane
EOS Authenticator EQUAL Wallet Guarda Hycon Lite Client
ICONex KHC KeePassXC Keeper
Keplr LastPass Leaf Wallet Liquality Wallet
Math Wallet MEW CX MetaMask MYKI
Nabox Wallet Nash Extension NeoLine NordPass
Nifty Wallet Norton Password Manager OneKey Polymesh Wallet
RoboForm Sollet Splikity Steem Keychain
TezBox Terra Station TronLink Trezor Password Manager
Wombat Yoroi ZilPay Zoho Vault

Crypto wallets

  • AtomicWallet
  • ByteCoin
  • Electrum
  • Exodus
  • JaxxWallet

In addition to cryptocurrency, malware is interested in banking data such as IBANs. This creates additional risks for those involved in banking transactions.

Data Exfiltration

Once the data is collected, Luca Stealer begins compressing the data for easier transmission. The malware uses the Telegram messaging platform as a covert communication channel. Using a Telegram bot, it discreetly sends stolen data and some statistical information about the stolen data to the operator. It also sends messages to the chat room.

Why Luca Stealer?

Since the source code of Luca Stealer was leaked to the public, attackers can modify it, optimize it and add new functionality. After a more detailed analysis, experts discovered an unusual AntiVM method. Luca Stealer checks the system temperature before starting to execute. Since virtual machines usually generate an error when such a request is made, the malware can understand whether it is on the virtual machine or on a live system. Though, this trick is just about making the analysis longer rather than impossible. It is not hard to make the VM respond properly to the request, returning realistic and consistent temperatures.

Safety recommendations

To avoid unpleasant consequences, we recommend that you follow the following tips:

  • Be careful with downloads from the Internet. Download software only from official and reliable sources. If you have any doubts about the authenticity of a website, go to a trustworthy website and make sure that the site you are interested in is genuine.
  • Update your software. Sometimes OS updates can be inconvenient. However, this is an essential part as updates contain security patches. To address known vulnerabilities, constantly update your operating system and other software, including browsers.
  • Be careful with email messages. According to statistics, email phishing is one of the most effective methods of spreading malware. Do not open suspicious attachments or links in emails from unknown senders.
  • Install reliable antivirus software. Use quality anti-malware software and update it regularly to stay protected from the latest threats.
  • Educate yourself and stay informed. Unfortunately, in this eternal arms race, cybercriminals are leading. This allows them to create new threats, picking the least predictable forms each time. In turn, cybersecurity experts create effective solutions against them. Study up-to-date threats and deception techniques to be more aware and adapt your actions.

Luca Stealer Spreads Via a Phishing Microsoft Crypto Wallet Site

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *