Two in One Malware “Luxy” Steal Your Data & Encrypt Files

Luxy is a hybrid threat functioning as both a stealer and a ransomware. Using .NET, the malware consists of three primary modules: BlockAvSites, Stealer, and Ransomware. 

The Stealer module, similar to Umbral Stealer, harvests sensitive user data like passwords and browser details through Telegram. 

Simultaneously, the Ransomware module encrypts files and leaves a ransom note demanding payment for a decryption key, while the BlockAvSites module is designed to hinder antivirus detection and interference. 

Checking network and VM

The process begins by verifying network connectivity by attempting to access a specific URL. Once confirmed, it proceeds to check if the execution environment is a virtual machine using various detection methods, such as examining system UUID, computer name, username, running processes, and debugger presence. 

If any of these factors indicate a virtual machine environment, the process is terminated, and the script also checks the system UUID against a blacklist and terminates the process if a match is found. 

It scans the running processes for known monitoring tools using the GETPROCESSES Windows API and terminates the process if any are detected.

List of blacklisted names, users, Uuid, Task

The malware employs various evasion techniques to avoid detection and analysis, by maintaining blacklists of UUIDs, computer names, users, and tasks to terminate itself if it detects any of these elements, including popular sandboxes. 

Additionally, the malware modifies the hosts file to prevent access to specific websites related to antivirus software, thereby hindering detection and removal attempts. 

It targets popular browsers to steal password and cookie information, using scripts to extract and decrypt encryption keys from cookies, compromising user privacy and security.

Script for collecting cookies of the browser

The scripts are designed to steal sensitive information from a user’s system. Specifically, they target passwords from Chrome, crypto currency wallet information from various platforms, and Minecraft session files. 

The malware sequentially searches for these files in predefined locations, copies them to a specified directory, and stores their paths in a text file. The scripts utilize error handling to ensure the integrity of the process and track the number of files successfully collected.

Robolox cookies 

The RobloxCookieStealer malware leverages the Get-ItemPropertyValue PowerShell command to extract Roblox cookies from the registry and various browsers, which processes cookies from a set of browser cookie extraction tasks. 

Subsequently, a ransomware module encrypts files using the AES256 algorithm and renames file extensions with an encrypted extension. 

The malware executes on the path where it resides, listing all files and checking their extensions, which proceeds to retrieve all files from the directory before initiating the encryption process and changing the file extensions.

Ransom note

The ransomware employs AES encryption with a 128-bit key and IV to encrypt files, which involves padding plaintext data with zeros using PaddingMode.Zeros and then using a CryptoStream to perform the actual encryption. 

According to K7 Security Labs, after encrypting all of the files, the ransomware leaves behind a note that demands payment in order to decrypt the files. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here