Exploring the mechanics of Infostealer malware.

Dave Bittner: Hello, everyone and welcome to the CyberWire's Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ] Today, I'm speaking with a security researcher from SpyCloud Labs, who prefers we simply call them James. We're discussing Unpacking Infostealer Malware, what we've learned from reverse engineering LummaC2 and Atomic macOS Stealer. [ Music ]

James: I mean, so the name kind of gives it away a little bit. The full name of an infostealer, information stealer and their entire purpose is to steal information. They attempt to infect a victim and once they're on a victim system, they will steal credentials, they will steal files that exist on the system that might be interesting to the malware author or person running the malware. They'll also steal emails. If you have emails on your system, they will steal two-factor authentication secrets, which is also technically still a file. In the case of Atomic Stealer, they'll steal your key chain, which has all of your passwords on it. They're in it. Their entire goal is to get onto your system and steal everything that would be interesting to somebody who is running the malware. And then once they're there, they will exfiltrate that information and send it to the malware author. Some infostealers will also then load additional malware like Atomics Stealer has the ability to load a trojanized or like an infected Ledger Live application. And this Ledger Live application, which is a crypto wallet. So this infected crypto wallet will actually steal your seed phrases. If you have Ledger Live and you're infected with this, it'll steal your seed phrase when you put it in, which is very important for managing crypto coins. Other malware like Lumma has the ability to just load whatever malware. The people who are running the malware specifies, which is actually a very common feature of infostealers. They will act kind of as a loader malware, but yes, that's kind of just a high level rundown of infostealers.

Dave Bittner: Well, I mean, for these two that we're talking about today, Lumma and Atomic on macOS, what was it that brought these to your attention?

James: Here, like at SpyCloud, we get a lot of logs from like malware and we see a lot of Lumma and we see a lot of Atomic Stealer. And so we are very interested in looking at these malware families to see if we could determine like how these families behave. So that defenders can better protect against them so that maybe we can hopefully see a little bit less logs.

Dave Bittner: Well, let's dig in together. Do we want to go through both of them as a group or does it make sense to do them one at a time?

James: Either or we could do both as a group. One at a time also works because one is macOS and one is Windows.

Dave Bittner: Okay. Well, let's go through them one at a time here. Why don't we start on the macOS side here. Tell me about Atomic?

James: So it's pretty interesting because like you've already -- I mean, at least when I was first getting started in computers, you always had the claim like you would never get a malware or a virus on an Apple device which is like a very old claim, but Atomic Stealer is malware designed for macOS. It is malware as a service, which means that the authors who write Atomic Stealer, sell Atomic Stealer, like access to the Atomic Stealer malware panel. To anybody who wants to purchase it for a monthly fee, they sell it for a very hefty fee of between $500 and $1,000 per month, which is pretty expensive for malware, but this gives people who want to run Atomic Stealer access to the panel and they can create builds of Atomic Stealer, which is essentially the generated malware that they can then infect victims with. The office which make Atomics Stealer might be running Atomics Stealer. They're not the only people running Atomics Stealer. There's lots and lots and lots of people running Atomics Stealer. And so when we found Atomic Stealer, we were looking at something that we call cybercrime enablement services, which is like paper install networks like Space Media or Install Bank, which we covered in a different blog, the Space Media writeup, for example. These services will insert like download. If you've ever possibly downloaded like a mod for a game or cracked software, right now, we're not supposed to download cracked software or free software on a website, and you've seen those download buttons on those websites, I can confirm that those download buttons are 100% malicious. They result in various different kinds of malware, but if you're running Mac, almost 100% of the time, it is Atomic Stealer, but so when we were looking at these cybercrime enablement services, we found Atomic Stealer samples. And so we started looking at those Atomic Stealer samples to figure out how Atomic Stealer functions so the defenders could like better protect their environments. And looking at Atomic Stealer was like super interesting because we were able to find samples like that were very old and then samples that were very new. And Atomic Stealer is one of the only malware or I don't want to say one of the only malware families that's ever done this, but it's one of the few families that I've ever looked at that I would say has ever gone backwards in its development cycle. When I was looking at -- we actually mentioned this in the blog, but when I was looking at Atomics Stealer when they did their exfiltration in older samples, they had a very sneaky method where they would generate a zip file in memory and then exfiltrate without ever writing anything to the disc. And that's very sneaky because it makes it very hard for defenders to identify that. However, in newer versions of Atomic Stealer, they write everything to the disc and makes it very easy for defenders to identify it. I've never seen a malware go backwards in developing cycles like that, but it was just a very interesting development. As we noted on our writeup though, we think that maybe Apple Internal Security might've had a detection for writing a zip in memory so that might've been why they went backwards. It was just very interesting in their development cycles that they essentially went backwards in their development, but as to how Atomic Stealer actually functions, it steals a variety of browsers. It steals a variety of crypto wallets. It has a very large list of extensions. There's more than 50 extensions in this list of extensions that steals from.

Dave Bittner: What's most noteworthy to you in terms of the things that it'll target?

James: Most of these are crypto wallets. A large portion of these are crypto wallets. So it's really looking for like crypto wallets to steal crypto coins from. That seems to be what it is solely focusing on. Like I see like MetaMask. I see Tron Wallet. I see Starcoin. Like I see a ton of crypto wallets. It has a file grabber, which is very typical for infostealers, but for this one, it only targets a very select few amount of files. It targets PST files, document files, RTF files, wallet files and anything that has a dot key or dot keys file. So if you're storing your password on your computer in raw text, which you never should be doing, don't store it as dot key or dot keys files.

Dave Bittner: So in terms of the functionality here on the Mac side, I mean, how does it go about staying stealthy and avoiding detection?

James: To be honest, in my opinion, it seems very loud. Like when it makes its exfiltration folder, it writes all of the files to disc. So I don't- when I have done threat hunting, I've only done threat hunting in Windows environments so I don't know what Mac like detection environments look like. So I don't know if this is- like from a Windows detection perspective, this looks like very loud behavior to me, but from a Mac detection perspective, this could be very hard behavior to detect. I just don't know what it looks like from that perspective.

Dave Bittner: Yeah, that's fair. Well, let's switch over to Lumma then. I mean, what's going on that side of things?

James: So Lumma is very interesting. Like a lot of other Windows malware, has a dynamic config, which it's something that Atonic Stealer did not have, but so Lumma like a lot of other Windows families has a dynamic config, which is something that actually impressed me how dynamic their config was. Lumma works very similarly to all other stealers and that they steal browsers, they steal extensions, they steal files, but what's also interesting is that Lumma steals- Lumma has hardcoded email theft, but you can also specify additional email theft in their modular config, which is very interesting to me because you can steal pretty much any email client that exists on a system with Lumma. They've also got -- for their two-factor authentication theft, they are able to actually steal office like office two-factor authentication secrets, which was another interesting inclusion because for a while, we saw them attempting to steal all of these authentication secrets, but not actually succeeding in it. So it shows that they are like not only are they developing their malware, but they're also testing their malware in environments and actively trying to make their malware better. And like it shows that their development team is pretty advanced, but yeah, they have a couple like interesting features in their configuration too such as the ability to change whether or not it takes a screenshot and to change whether or not it deletes itself from the computer and to change whether or not it does a language check, which I would think that you would want the language check to be on every single time because the language check checks to make sure whether or not it can run in Russia, Uzbekistan or Azerbaijan. Like anything in those language sets or the three language sets that it can't run in. So you'd think that would want to be on every single time, but you can actually disable it within their config. [ Music ]

Dave Bittner: It's interesting to me that users of these, you know, the people who are paying this monthly fee, it seems to me like they can really dial in depending on what they're interested in. You know, like you pointed out, Atomics seems to be focused on crypto, but if I were someone who was interested in, you know, email compromise, I could be dialing these to help me with that. You know, there's sort of- it's like a Swiss Army knife for whatever information you want to access on someone's system. Is that an accurate perception on my part?

James: Yeah. Yeah. That's a very accurate perception, especially with LummaC2 and really any infostealer that has dynamic configuration modification because it allows and that is a lot of stealers. Lumma is not like -- like I don't want to like just highlight Lumma as like a unique stealer that everybody should purchase. A lot of infostealers these days have dynamic config creation where people who are purchasing the infostealers can modify what they particularly want to steal. So that it's custom for them. So that they're not just getting like say that they're targeting like a government worker and the government worker's not going to have a crypto wallet. They're not going to have like steam. They're not going to have Telegram, but they are going to have email. They are going to have these various particular document files that they want to target. They can customize the config to only look for those particular things and ignore everything else. So that it's not wasting computer cycles looking for these documents and these files that don't exist because if you're wasting computer cycles, you're going to get detected earlier.

Dave Bittner: In terms of organizations, you're best protecting themselves against this. I mean, what are your recommendations? I mean, obviously, you know, we said earlier, don't download cracked software, but beyond that, you know, what are best practices here?

James: It's hard because it comes from like a lot of different sources because there's- I mean, there's the email side to worry about. You have to worry about phishing. You have to worry about cracked source software. So it requires more than just like one solution fixes all. I think it requires like user education. And it's not just user education at work like user education at your job, because what we've learned is that a lot of compromises at work environments end up taking place with people's personal devices. So I think that there needs to be- I know there's already a ton of user education, but like more thorough user education about like, hey, if you are working at- say that you're working at like a financial job, you have now taken on the risks of the financial job in your personal life. Like you could be targeted in your personal life more heavily than somebody who is like working at a non-financial institution because like financial institutions are targeted heavily. Those are very good targets for cyber kernels. And so like I think that it's -- yeah, there's not going to be a very simple solution, but like more education on like identifying threats, identifying what like a suspicious download looks like, making sure that people stay updated, of course, like update on updates and software. So that you can't have compromises. Yeah, but unfortunately, there's not just a simple solution, one solution fits all, but I wish there was.

Dave Bittner: Yeah. I mean, are these the types of things that typically antivirus would detect?

James: Sometimes, they do get detected by antivirus, especially if somebody's running an older version of the malware, but because these are malware as service providers like one of their business goals is to provide malware that is clean and can't be detected by antivirus. So they are like actively working to make sure that their malware is not detected. So you can't always rely on antivirus to detect the malware, especially if it's a very fresh build every so often people will slip through.

Dave Bittner: What about persistence here? I mean, are they trying to kind of get in and out with a quick hit or are they working hard to stay on that system?

James: It's very much an in and out with a quick hit. Atomic Stealer does not do any form of persistence. Lumma has- as far as I've seen, Lumma doesn't really have persistence. Like Lumma has the option to not delete itself, but the persistence is based on the installation. So how it was installed? So if it was installed by something that didn't install persistence, then it's not going to have any persistence. So a lot of these are just- what I have seen are just smash and grab like the person installs something, it steals it and then it's gone.

Dave Bittner: Yeah. You know, I'm curious. Before I let you go, for you and your colleagues there at SpyCloud when you take on the task of reverse engineering something like this, could you kind of walk us through that process? I think a lot of our listeners would be interested to hear how you approach something like this.

James: So I have kind of a different approach than a lot of different analysts because I do like a static analysis and reverse engineering in a debugger and a disassembler, whereas a lot of analysts might use a sandbox. So if I can do the static or do the analysis without having to use a debugger, I'll just use the disassembler. I'm pretty adept with reading assembly. I actually prefer it over de-compilation into seed. So I'll just throw the binary into my disassembler and I'll read it and assembly and I analyze it that way, which I've been told is a unique way of analyzing.

Dave Bittner: I would consider it a bit of a superpower. [ Laughter ]

James: But for other samples if it has like obfuscation or if the strings are encrypted or something like that, I'll have the sample in a debugger. And then I'll have the sample in the disassembler and I'll step through it in the debugger and in the disassembler. And that's the same for windows. It's the same for Mac. For Mac, it took a little bit to get my analysis environment set up because Mac does not- really once you analyzing malware- at least like not on a non-Mac system. So I had to like figure out how to set it up, but it is- once you get everything set up, it works the same. There's unfortunately not as many debugger for Mac as there are for windows, but that's just because not a whole lot of people do reverse engineering on Mac, but I used Topper and it worked really well. So plus, plus 1 to Hopper. IDA also works on Mac, of course, but it's very expensive, but, you know --

Dave Bittner: So help me understand the scale of this. I mean, how this compares to some of the other problems that we have out there. Where does this rate in the universe of malware that we need to consider?

James: Looking at our data and looking at like the logs that we have collected and also just looking at like stats that we have collected over time from different malware families, we see large amounts of infections daily from sources that aren't email, that are just like users clicking on cracked software, users clicking on mod links. Somebody's looking for VSTs for their audio software and they accidentally download something malicious. And these are astronomical numbers. I'm talking like hundreds of thousands of infections per day was one of the families that I saw that was pulling those numbers. And so like these are large threats to the average user. And the average user is also normally corporate, also works for like corporate companies. Like everything that targets the average user also ends up hitting everybody. If you work for government, if you work for a company, if you work for a Mom-and-Pop shop, you're going to get hit in these very large spray attacks. And the cyber criminals are very good at monetizing what they end up getting from these. So they know how to capitalize off of like a.gov email address. They know how to capitalize off of somebody who works at a big company who has access to lots of VPN connections. They know how to turn those connections into actual money. And so it's very dangerous to just not be aware of these campaigns and to just be focused on like email or just be focused on one form of phishing. I think holistic training of like all the kinds of threats that are available will be very helpful towards everybody to protecting against these.

Dave Bittner: Yeah. Don't underestimate these, I guess, right?

James: Yeah.

Dave Bittner: Yeah. Keep them on your radar. [ Music ] Our thanks to James from SpyCloud Labs for joining us. The research is titled, Unpacking Infostealer Malware, what we've learned from reverse engineering LummaC2 and Atomic macOS Stealer. You can find a link and additional resources in the show notes. [ Music ] And that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how @n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Carter. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]