A few days ago, during a “routine exercise” to identify malware, the cybersecurity company Cyble Research Labs discovered a very particular one, focused on data theft, who has been nicknamed ‘Luca Stealer’.

It is software developed in Rust, the fashionable low-level programming language, which is also becoming one of the favorites of malware creators thanks to its versatility, its cross-platform nature and its evasion capabilities versus previous reverse engineering techniques.

Brendan Hohenadel, Reverse Engineering Expert at LARES Consulting, “Other popular languages, such as C++, C#, and .Net are easy to decompile and reverse engineer,” but in Rust the executable is compiled in a way that makes it, for all practical purposes, “a black hole”.

“Getting information from the executable without running it in a sandbox or environment with monitoring software becomes a much more challenging task.”

In fact, several famous ransomware groups, such as Hive, Luna or BlackCat, have jumped on the Rust ship in recent months for those same reasons. BluBracket’s Casey Bisson tells The Register that Rust is increasingly becoming a common development platform for new threats:

“The newness of the platform could mean that many software scanners are not prepared to recognize Rust-generated binary signatures as threats.”

What does Luca Stealer do when it infects your PC?

But what does Luca Stealer do once it infects your PC? Well, try to detect if he is present in the same browser based on Chromium (it is capable of detecting more than 30), to proceed to steal login credentials, cookies, and credit card data.

For now, this malware only targets Windows systems, but it won’t cost much to adapt its code to other operating systems

It is also capable of stealing files and credentials from other applications (especially messaging, as well as game stores like Steam), but also from various cryptocurrency wallets… and even password managers like 1Password, LastPass and a dozen others.



Luca Stealer’s code capture, commented by Cyble.

But Luca Stealer is spreading fast :si had no trace of him before last july 3rdwhen leaked on a popular online cybercrime forum, when Cyble Research Labs made its existence public 22 days later, there were already 25 sampless of malware based on the original code circulating on the Internet and affecting computers.

All this thanks to its landing on GitHub, the famous code repositories platform that facilitates the creation of ‘forks’. According to the Cyble researchers,

“The developer of Luca Stealer seems to be new to the cybercrime forum, and was probably the one who leaked the source code himself to build a reputation […] Said developer has also provided the steps to modify the Stealer, as well as to compile the source code for ease of use.”

This diversity has made it even more difficult for anti-malware solutions to detect Lucas Stealer, to the point where its detection rate on VirusTotal is just over 20%which means that nearly 8 out of 10 infections are going undetected.