Poverty Stealer

Hey, and a few more rules for another stealer. I want to share with the community given the activity of the malware. Exfiltration is carried out through RAW TCP, port 2227.

alert tcp any any -> any 2227 (msg: "ET MALWARE [ANY.RUN] PovertyStealer Check-In";flow: established, to_server; dsize: 100<>768;stream_size: server, =, 1; stream_size: client, <, 768; byte_test: 1,<=,0x0a,0;byte_test: 1,>=,0x06,0;content: "|000000|"; offset: 1; depth: 3;content: "|000000|"; offset: 5; depth: 3;content: !"|0000|"; offset: 8; depth: 2;content: "|0000 0100 00|"; offset: 10; depth: 5;classtype: command-and-control; reference: md5, 3261ba172502ba9854cf74a60eb7a7e2; reference: url,app.any.run/tasks/616b1b06-b935-449d-af08-e55e9f4e61c4; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 1; rev: 1;)

alert tcp any any -> any 2227 (msg: "ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M1";flow: established, to_server; stream_size: server, =, 1; content: "PK";depth: 2; classtype: credential-theft; reference:md5,84c61f974da85644011a6cd956bd0204; reference:url,app.any.run/tasks/b4761f9f-ab56-4fe6-b2e8-dd449acfaa52; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 2; rev: 1;)

alert tcp any any -> any 2227 (msg: "ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M2";flow: established, to_server; stream_size: server, =, 1; content: "PK";depth: 2; content: "$s.bmp";distance: 28; within:  6;classtype: credential-theft; reference:md5,84c61f974da85644011a6cd956bd0204; reference:url,app.any.run/tasks/b4761f9f-ab56-4fe6-b2e8-dd449acfaa52; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 3; rev: 1;)

Analysis 63c33b9d07ff4983194bedf7786cd23b.exe (MD5: 63C33B9D07FF4983194BEDF7786CD23B) Malicious activity - Interactive analysis ANY.RUN
Analysis 227a903567502c67ab7e53143950cb21.exe (MD5: 227A903567502C67AB7E53143950CB21) Malicious activity - Interactive analysis ANY.RUN
Analysis a39a78f6141c7aea6555b61ad6d44b94.exe (MD5: A39A78F6141C7AEA6555B61AD6D44B94) Malicious activity - Interactive analysis ANY.RUN
Analysis 17352aff34b28031f1f48214c7e817a9.exe (MD5: 17352AFF34B28031F1F48214C7E817A9) Malicious activity - Interactive analysis ANY.RUN
Analysis SecuriteInfo.com.Trojan.DownLoaderNET.688.4659.9090 (MD5: BE231D0B99FD570186881418144B8F43) Malicious activity - Interactive analysis ANY.RUN
Automated Malware Analysis Report for q4B165cujP.exe - Generated by Joe Sandbox
Automated Malware Analysis Report for 4jzlpBI7l7.exe - Generated by Joe Sandbox
Automated Malware Analysis Report for OE2HxS3lUt.exe - Generated by Joe Sandbox
Analysis 5ef552b6bb693a4a1fd4080dde4a0b15f3e16ed381002.exe (MD5: DD64D0BC1378B43F8B5B17327B4994CB) Malicious activity - Interactive analysis ANY.RUN
Analysis b0xsupp0rt_Transactions.exe (MD5: E0FB0A3E15BDFBA65A792E3E3463DCD5) Malicious activity - Interactive analysis ANY.RUN
Automated Malware Analysis Report for 2023-07-01-2023-07-15_Transactions.xll - Generated by Joe Sandbox

image1425×280 90.1 KB

Analysis https://fundovidaips.com/download/File_pass1234.7z Malicious activity - Interactive analysis ANY.RUN
Analysis file (MD5: 055D849A5DFE135C7535BBDEFA045F92) Malicious activity - Interactive analysis ANY.RUN
Analysis https://storedechuladas.com/wp-content/download/File_pass1234.7z Malicious activity - Interactive analysis ANY.RUN
Analysis file (MD5: CCBBA2AAC1CAE3A0BD29CB42203E20B4) Malicious activity - Interactive analysis ANY.RUN
Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox
Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox

Best regards, Jane.

I plan to finalize the rules, since the second includes the detections of the third.

I compared checkin from three new builds
Newbiuld, buildik1, build01
and make a mask:

After that decided to take the selected fragment (mutex) and UUID plus the length of the packet for the first rule in order not to use the port. Leave the second rule unchanged, since there are two conditions - the port and the fact that the client’s package with the magic of the archive will be the first in the stream.

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] PovertyStealer Check-In";flow: established, to_server; stream_size: server, =, 1; dsize: 1079;pcre: "/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\x00/";content: "|00|LMR-001";offset: 36;depth:8; classtype: command-and-control; reference: md5, a39a78f6141c7aea6555b61ad6d44b94; reference: url,app.any.run/tasks/7bcdd299-9044-47f2-b8a0-9133e2e7728c; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 1; rev: 1;)

alert tcp any any -> any 2227 (msg: "ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M1";flow: established, to_server; stream_size: server, =, 1; content: "PK";depth: 2; classtype: credential-theft; reference:md5,84c61f974da85644011a6cd956bd0204; reference:url,app.any.run/tasks/b4761f9f-ab56-4fe6-b2e8-dd449acfaa52; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 2; rev: 1;)

great analysis @Jane0sint! We’ll get these in tomorrow’s (2023/08/07) release.

2047066 - ET MALWARE [ANY.RUN] PovertyStealer Check-In via TCP
2047067 - ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M1

For performance I modified PovertyStealer Exfiltration M1 to match on some of the folder structure within the .zip that is being exfil’d

Detection on port 2227 is not enough, just discovered a build using port 2220

Analysis hightechnology.exe (MD5: 73BDAE97BBF9B332F0CCE73F9D6C21F7) Malicious activity - Interactive analysis ANY.RUN

No rule detection at this moment.
It is needed a more general detection on any port in premonition of a future behavior of this stealer using random ports.

@g0njxa - thanks for the FN tip!

I took a look this morning and was was causing the FN was that the new sample has LMR-002 after the UUID as opposed to the original sample has LMR-001. I updated the rule so that it will alert regardless of what the three digits are after LMR-. The rule was already port agnostic with $HOME_NET any -> $EXTERNAL_NET any so there was no need to make changes there.

Updated sig will go out in Monday’s Release.

Old:

New:

Hi, can I ask you to add a link to this discussion in the rules 2047066?

reference:url,community.emergingthreats.net/t/poverty-stealer/;

The signature updates will go out today!

JT

Hello again, we need to open a new discussion on this!

I want to attribute all “PovertyStealer” samples (a generic name given because of the ignorance of the real name) to the LUMAR stealer being sold on forums, requesting an update on the rules with the appropriate name.

Sale: https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion/topic/227873/

Lumar (not Lumma!) has been on sale since July 2023 and first samples were found and first rules were written in August 2023 so time dates make sense.

Lumar was poorly reported by Securelist (Kaspersky) in October 2023
Kaspersky crimeware report: GoPIX, Lumar, and Rhysida. | Securelist
sharing two samples: S1 (5fc82bd3590eae30c26f1a42f4e711f4) & S2 (46b892398cfb1a1c59683fc8abfcc5fc)

We can find S2 in Anyrun public reports detected as “PovertyStealer”
Analysis 394a309124ec29edb79624fdec9a3c2412e38088dc306afddf97daba9a00adf6 (MD5: 46B892398CFB1A1C59683FC8ABFCC5FC) Malicious activity - Interactive analysis ANY.RUN

Lumar references can be easily identified in network traffic by log name string “LMR” referencing LUMAR

This is what we discussed back in August 2023 with the samples I found and shared on this thread back in time using different port numbers.

Some other “PovertyStealer” detections with LMR string on traffic
Analysis Konst.exe (MD5: CB031980EB0030F7096B5E097E841A87) Malicious activity - Interactive analysis ANY.RUN
Analysis d4dbc82122d11226746291b21e12359a310e5afc9884071d1dfc38b5e4c76596.exe (MD5: DE2B5FC79D5B9B7D7BDC48812C3AB0E6) Malicious activity - Interactive analysis ANY.RUN

At this point it should not be any questions to attribute those PovertyStealer samples to what it is, LUMAR Stealer

Now, with the other variants of this stealer based on network traffic.
Example: Analysis https://www.mediafire.com/folder/jpmnxkk407j97/Pass_2023 Malicious activity - Interactive analysis ANY.RUN

There is no “LMR” string to identify Lumar Stealer directly, but based on network similarities on the header such as the log name (aaaaaaaa-aaaa-aaaa-aaaa-111111111111.LMR-002-010-P vs d6cbe89f-24df-410f-bdd6-184487397307), the presence of a botnet name (xxxxxxx vs @lisaa), the presence of the execution location of the malware, and then followed by the .zip containing the log information; also the usage of similar common ports for this malware such as 2227 and 2220…

I think there should not be any issues to attribute PovertyStealer rules to what it really is and how Threat Actors know this malware: LUMAR Stealer.

PD:
It seems the project was active updating until the end of 2023, that also explain the low activity in 2024 and why maybe this got no focus on media or anything related to research
They reappeared on August 2024, with what it seems new code and new functionalities (as for example SSL encryption), so the rules that were written one year ago would not be enough to detect new samples… I have 0 samples available on the new version, I will try to update once I got my hands on one of it. We are 1 year late to this!!

Announcement after some months disappeared:

Thanks!

Hi, a new tag has already been added to our sandbox. But I left the old one for the possibility of searching. You can also add a new family to the existing rules and add a new, more precise name to the previous name in the message.

Thanks for the excellent analysis @g0njxa, I’ll get the names/ malware families updated today. The new names will be

ET MALWARE [ANY.RUN] LUMAR Stealer Exfiltration M1 - 2047067
ET MALWARE [ANY.RUN] LUMAR Stealer Check-In via TCP - 2047066
ET MALWARE LUMAR Stealer Exfiltration M2 - 2048736

Thanks @Jane0sint @g0njxa @ishaughnessy !