Threat Research

[updated] Vibrator virus steals your personal information | Malwarebytes

Securonix

Malwarebytes reports a USB-charged vibrator was infected with the Lumma information stealer, spreading to the user’s system. The attack uses an obfuscated Outweep Dynes installer to drop Lumma, which steals cryptocurrency wallets, browser data, and 2FA details, with distribution occurring via MaaS and email campaigns. #Lumma #OutweepDynes

Keypoints

  • The incident involved a vibrator connected to a USB port that led to malware infection.
  • The information stealer is called Lumma and is offered via Malware-as-a-Service (MaaS).

MITRE Techniques

  • [T1091] Replication Through Removable Media – Infection spread via infected USB drives. Quote: ‘nothing stops the cybercriminals from spreading it through infected USB drives, as is the case here’
  • [T1566.001] Phishing: Spearphishing via Email Campaigns – Lum­ma is often distributed via email campaigns. Quote: ‘Lumma is often distributed via email campaigns’
  • [T1027] Obfuscated/Compressed Files and Information – The dropped executable is a heavily obfuscated MSIL Trojan. Quote: ‘heavily obfuscated portable executable detected by Malwarebytes as Trojan.Crypt.MSIL’
  • [T1555.003] Credentials in Web Browsers – Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details. Quote: ‘Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details’

Indicators of Compromise

  • [File name] context – InstallerPlus_v3e.5m.exe, Installer-Advanced-Installergenius_v4.8z.1l.exe
  • [File name] Mia_Khalifa 18+.msi – content of flash drive
  • [Folder/Path] %USERPROFILE%AppDataLocalOutweep Dynes – location of installed components
  • [Program] Outweep Dynes – program dropped by the installer
  • [SHA256] 207ee8fb2a824009fe72a857e041297bde3b82626b8883bc05ca8572b4dd148a – associated with the Outweep Dynes installer
  • [SHA256] e0f4382f4534c2c0071ce0779d21f0fed59f428cdb622b1945e0a54157c19f95 – associated with the dropped payload
  • [SHA256] be6efe16701cb69ec6e48441a6ad1c1f934e0f92878ccdfafc3f52cbc97be5c2 – associated with the dropped payload
  • [Device/Hardware] Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator – used as the infection vector

Read more: https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-personal-information

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint