Poulight Trojan

First observed in March 2020, Poulight is a .NET information-stealing trojan sold via Russian-speaking hacking forums and dark web sites.

Threat ID:: CC-3453
Category:: Trojan
Threat Severity:: Low
Threat Vector:
Published:: 14 May 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in March 2020, Poulight is a .NET information-stealing trojan sold via Russian-speaking hacking forums and dark web sites.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Poulight is typically delivered via malicious macro documents distributed in spam campaigns. When opened, the macros are executed to run an embedded script, which in turn drops and installs Poulight.

Once installed, Poulight attempt to extract user information, browser and messaging histories, financial credentials, and cryptocurrency wallet keys. This information isn then compressed and sent to a command and control server.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

URLs

fff.gearhostpreview[.]com/ARMBot
poullight[.]ru
u43692210a.ha003.t.justns[.]ru

SHA256 File Hashes

463cbe989ae3952d60a047ce6114666d1ca8c09ab120213e36d7ec357fe2fcad
8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95
d04f107b9575d19fb00fe344ce06c580a76a535d8c8d9279f8f1af40617fcc4b

Last edited: 29 June 2021 12:01 pm