360 Security Center’s threat team detected an email phishing attack that delivers Poulight Trojan that exfiltrates a vide array of data.
360 Security Center’s threat monitoring platform has been tracking Poulight Trojan since last year and presented its findings in a report last Friday.
The 360 researchers say the trojan has “complete and powerful functions” and that the current campaign showed that it has begun to spread overseas.
The attack starts with a phishing file using RLO (Right-to-Left Override) method. Using RLO, the phishing file shows up on the user’s computer as “ReadMe_knl.txt” but originally was named “ReadMe_txt.lnk.lnk.”
In addition, the attacker could set the icon of the lnk file as a notepad icon to further confuse the user who is likely to mistake it for a benign txt file.
When the user opens this fake txt file, they actually executed the code of the attacker and the powershell command will run to download and execute the malicious program from https[:]//iwillcreatemedia[.]com/build.exe.
The malware developer did not obfuscate the code inside the malicious program which had a straightforward name of Poullight.exe.
The use will also download putty3.exe file which will first check whether the current environment is a virtual machine or a virus analysis environment. If it is a virus analysis environment, it will stop running. In this way, the hackers can evade analysis by some virus sandboxes.
After running the checks, the trojan starts to execute its malicious payloads.
Poullight then gets and stores locally in files the following data: user names, machine names, system names, anti-virus products, graphics card labels, and processor labels, and other machine information. And after that, if gets the list of currently active processes and writes it into the file %LocalAppData%\\1z9sq09u\\ProcessList.txt.
After a few more manipulations, Poulight proceeds to stealing the following data:
- Desktop screenshot;
- Document names, if the file name contains such words as password, login, account, аккаунт, пароль, вход, важно, сайта, site, or the suffix is .txt, .rtf, .log, .doc,. docx, .rdp, .sql files;
- Pictures from a web camera;
- FileZilla server login credentials:FileZilla\recentservers.xml;
- Pidgin login configuration: .purple\accounts.xml;
- Discord data storage backup: discord\Local Storage;
- Telegram data storage files;
- Skype data: Microsoft\\Skype for Desktop\\Local Storage;
- Various cryptocurrency wallet related documents;
- Access URLs, steal cookies, accounts, passwords, autofill data, payment card information, etc. from 25 browsers;
- And more.
The trojan uploads the stolen data to one of two remote C&C servers, http[:]//poullight[.]ru/handle.php (unused) and http[:]//gfl.com[.]pk/Panel/gate.php.
360 Total Security researchers reported the following IOCs for Poullight:
Hash
dcb4dfc4c91e5af6d6465529fefef26f
083119acb60804c6150d895d133c445a
b874da17a923cf367ebb608b129579e1
C2
hxxp://gfl.com.pk/Panel/gate.php
hxxp://poullight.ru/handle.php(Unused)
URL
hxxps://iwillcreatemedia.com/build.exe
hxxp://ru-uid-507352920.pp.ru/example.exe
