# Inside Lightning Stealer

**blog.cyble.com/2022/04/05/inside-lightning-stealer/**

## A New Info Stealer Targeting over 30 Browsers


April 5, 2022


[Cyble Research Labs recently encountered Lightning Stealer – a new Info Stealer variant. An info](https://twitter.com/3xp0rtblog/status/1509484419354144774?s=20&t=ZPTBthpnHp411ukKLpJ91Q)
stealer is a type of malware designed specifically to steal data from the victim’s system. This type of
malware has emerged as a serious threat as Threat Actors use them to get initial access to corporate
networks.

Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets,
Telegram data, Discord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer
stores all the stolen data in the JSON format for exfiltration.


-----

Figure 1: Lightning Stealer C&C Panel
Lightning Stealer is a . NET-based Info Stealer. Figure 2 shows the file details.

Figure 2: File information

## Technical Analysis

The methods in Main()function of the malware binary (SHA 256:
_a2a3b6db773b95fa27501f081b03daf2a29bfb800b4efa397cc4fc59ff755368) – which is ultimately_
responsible for stealing data have been presented in a sequential manner as per to their execution.
Refer to Figure 3.


-----

Figure 3: Main

function
The malware first calls Input.GetLogGecko method. This method will return stolen passwords, cookies,
and history from Firefox-based browsers upon execution.

It initially identifies the Firefox-based browsers present in a system bypassing the respective browser’s
path in the “AppData” folder to the Directory.Exists() method. If this returns as “True,” those paths will be
added to a new list for stealing data. The figure below shows the Firefox-based browsers targeted by
the malware.

Figure 4: Firefox-based browsers targeted by

malware
Firefox-based browsers store user data in a Profiles folder under the “AppData\Browser_name”
directory. Lightning Stealer checks this directory along with the file names mentioned below:

key4.db: Stores the encryption keys and master password for logins.json.
logins.json: These files store the usernames and passwords.
places.sqlite: This file stores the user search history, downloads, and bookmarks data.

It steals the browser’s data only if the above files are present.

It first steals the data from the login.json file and looks for mozglue.dll and nss3.dll, which will be used to
decrypt the “login.json” file. Figure 5 shows the credential-stealing functionality for Firefox-based
browsers.


-----

Figure 5: Stealing login credentials from Firefox based browsers
Then malware steals the cookies data from moz_cookies table in “cookies.sqlite ” file and stores the
data in the following format (refer Figure 6) :

Domain =
Name =
Value =
Path =
Expires =
IsSecure =

Figure 6: Cookie stealing functionality on Firefox-based browsers
Similarly, the malware steals the browser’s history from the moz_places table in the “places.sqlite” file
and extracts the data in the following format:

Url =
Title =
Visits =
Time =

The figure below shows the browser’s history stealing functionality.


-----

Figure 7: Steals history on Firefox-based browsers
After stealing data from Firefox-based browsers, the malware targets Chromium-based browsers. Figure
8 shows the Chromium-based browsers targeted by the Lightning stealer.

Figure 8: Chromium-based

browsers targeted by Lightning Stealer
The sensitive user data, such as login credentials and cookies, stored in Chrome-based browsers are
present in an encrypted form. The malware enumerates and gets the name of all files present in the
“Browser-name\User Data\” folder and checks for the “Local State” file, which stores the encrypted keys
used by Chrome to decrypt the login data.

[If this file is present, the malware uses the DPAPI()functionto decrypt the encryption keys in the “Local](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection)
State” file by calling Dpapi.CryptUnprotectData() function as can be seen in figure below.


-----

Figure 9: Use of DPAPI

Chromium browsers store the login data in the “Login Data” file, a .SQLite file. The malware steals the
data from the logins table present in this file and extracts the data in the following format:

Domain =
Login =
Password =

Figure 10: Stealing Login credentials from Chromium-based browsers
Then malware steals cookies from cookies table present “Cookies” file and stores the data in following
format:

Domain =
Name =
Path =
Expires =
IsSecure = isSecure,
Value = value


-----

Figure 11: Stealing cookies from Chromium-based browsers
In a similar manner, the malware steals the data from the following “.sqlite” files:

credit cards data from the logins table in the “Login Data” file.

Filter Data in the format:

Number =

Year =

Month =

Name =

Search history from the URLs table in the “History” file.

Filter Data in format:

Url =

Title =

Visits =

Time =

Autofill data from autofill table in “Web data” file.

Filter Data in format:

Name =

Value =


-----

Figure 12: Stealing Credit Cards, History, and Autofill data from Chromium-based browsers
This stealer has the capability to steal data from crypto wallets present in the victim’s system. The
wallets targeted by the stealer can be seen in the figure below. The malware targets the wallet files
specific to the crypto applications mentioned in Figure 13. The malware then converts the wallet file’s
content into Base64 and saves them into a list.

Figure 13: Targeted Crypto wallets

The malware then proceeds to steal the victim’s system info. Figure 14 shows the system info gathered
by malware.


-----

Figure 14: Stealing System Info

This malware also steals the .txt and .doc files present in the “Desktop” of the victim’s system. The
malware reads the content of the file and encodes it using Base64. Then it saves the encoded data and
file names on a list.

Figure 15: Stealing files from victim’s desktop
After this, the malware checks for the “Telegram Desktop\tdata” file in the ApplicationData folder. Instead
of copying the file to a different directory for exfiltration, it loads its content in memory, encodes it, and
saves it to a list.

Figure

16: Stealing Telegram data
The Lightning stealer steals the Discord token from the following directory:

“discord\\Local Storage\\leveldb”

It retrieves a list of all files present in this directory and then starts stealing data from them.


-----

Figure 17: Stealing Discord token
The malware steals data from Steam, a video game digital distribution service. The stealer identifies the
Steam installation path by checking the registry key value at
“HKEY_LOCAL_MACHINE\Software\Valve\Steam.”

The malware steals data from all the files present under the “config” folder.

Figure 18: Stealing user data from Steam
After this, the malware takes a screenshot of the victim’s screen and saves it in the “AppData\Roaming\”
folder named “1.png”. Then, it converts the screenshot into Base64 encoded strings and saves it to a
list.


-----

Figure 19: Taking a screenshot of the victim’s system
The malware stores all the stolen data in the lists shown in the figure below.

Figure 20: Storing stolen data in lists

Then it creates a file named “444.txt” in the “AppData\Roaming\” folder. Before writing content to this
file, it converts the stolen data into JSON strings using JsonSerializer.Serialize() method.


-----

Figure 21: Storing

data as JSON strings
After this, the malware exfiltrates the data to the following domain:

_hxxp[:]//panelss[.]xyz/Stealer/TSave_

The body of the request is sent in JSON format, as can be seen in the figure below.

Figure 22: Data exfiltration

## Conclusion

Info Stealers are adopting new techniques to become more evasive. As the information stolen by such
malware is sensitive, organizations should follow good security practices. In the past, Cyble Research
Labs has observed data breaches of large organizations because of such threats. We have also
witnessed ransomware groups leveraging Info Stealers to gain initial network access and, eventually,
exfiltrating sensitive data. Lightning Stealer is an emerging Info Stealer, and we may see variants of it
emerge in the future.


-----

## Recommendations

Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites
such as YouTube, torrent sites, etc., mainly contains such malware.
Use strong passwords and enforce multi-factor authentication wherever possible.
Turn on the automatic software update feature on your computer, mobile, and other connected
devices.

Use a reputed anti-virus and internet security software package on your connected devices,
including PC, laptop, and mobile.
Refrain from opening untrusted links and email attachments without first verifying their
authenticity.
Educate employees in terms of protecting themselves from threats like phishing’s/untrusted
URLs.
Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
Monitor the beacon on the network level to block data exfiltration by malware or TAs.
Enable Data Loss Prevention (DLP) Solution on the employees’ systems.

## MITRE ATT&CK® Techniques 

**Tactic** **Technique ID** **Technique Name**

**Execution** [T1204](https://attack.mitre.org/techniques/T1204/) User Execution


**Credential Access** [T1555](https://attack.mitre.org/techniques/T1555/)

[T1539](https://attack.mitre.org/techniques/T1539/)

[T1552](https://attack.mitre.org/techniques/T1552/)

[T1528](https://attack.mitre.org/techniques/T1528/)


Credentials from Password Stores

Steal Web Session Cookie

Unsecured Credentials

Steal Application Access Token


**Collection** [T1113](https://attack.mitre.org/techniques/T1113/) Screen Capture


**Discovery** [T1518](https://attack.mitre.org/techniques/T1518/)

[T1124](https://attack.mitre.org/techniques/T1124/)

[T1007](https://attack.mitre.org/techniques/T1007/)


Software Discovery

System Time Discovery

System Service Discovery


**Command and Control** [T1071](https://attack.mitre.org/techniques/T1071/) Application Layer Protocol

**Exfiltration** [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over C2 Channel

## Indicators of Compromise (IoCs): 

**Indicators** **Indicator**
**type**


**Description**


hxxps[:]//panelss[.]xyz **URL** **C2 URL**


-----

1b922b6d15085da82e20fee0789a6617

231a8e1a06d1673c8922d149af9d8f156dcbe228

a2a3b6db773b95fa27501f081b03daf2a29bfb800b4efa397cc4fc59ff755368

473781fe7d820ef805d1aa79ace86816

b7a42714b4e5dd7cfb6a2c8d7eb30d8bcce9a7ba

6e016bcbead2dddb80dd4a592b1f3c042c52dc8a26ee37e0943f1a8c433e4c5f


**Md5**

**SHA-1**

**SHA-**
**256**

**Md5**

**SHA-1**

**SHA-**
**256**


**Stealer**
**Payload**

**Stealer**
**Payload**


-----