Threat Research

Lumma | Malware Trends Tracker

Securonix

Lumma Stealer is a widely available malware-as-a-service that has evolved since 2022 and is sold on Dark Web forums and Telegram. It targets Windows hosts (7–11), exfiltrates data, can drop additional payloads, and uses a Telegram bot for C2, with distribution via fake software, phishing emails, and Discord messages. #LummaStealer #LummaC2Stealer

Keypoints

  • Lumma Stealer is sold openly across Dark Web forums and Telegram channels as a malware-as-a-service.
  • Targets Windows devices from Windows 7 to Windows 11 and supports ARM, x86, and x64 architectures.
  • There are three subscription plans, each including access to a command-and-control (C2) panel.
  • Capabilities include data exfiltration (credentials, financial data, personal details), data log collection (browsers, cryptocurrency wallets), and a loader to drop additional malware.
  • All data transmitted by the stealer is decrypted on the server side, hindering traffic analysis during exfiltration.
  • Neighbor detection lets operators know if other instances run on the same system; the malware can be used via a Telegram bot.
  • Distribution methods include fake software, phishing emails, and Discord messages.

MITRE Techniques

  • [T1041] Exfiltration – “gathers sensitive information from targeted applications, including login credentials, financial data, and personal details.”
  • [T1005] Data from Local System – “collects detailed data logs from compromised endpoints, including information extracted from browsers and cryptocurrency wallets.”
  • [T1105] Ingress Tool Transfer – “The stealer can drop additional malware onto compromised machines, expanding its malicious capabilities and potential impact.”
  • [T1027] Obfuscated/Compressed Files and Information – “all data transmitted by the stealer is decrypted on the server side, which makes it more difficult to analyze the malware’s traffic during the exfiltration process.”
  • [T1057] Process Discovery – “neighbor detection, which notifies operators about other instances of the malware running on the same system.”
  • [T1071.001] Web Protocols – “The stealer can also be configured to be used via a Telegram bot.”
  • [T1036] Masquerading – “Fake Software: One of the most prevalent methods used to distribute Lumma Stealer is through fake software. When unsuspecting users download and install these fake applications, they introduce the malware onto their systems.”
  • [T1566] Phishing – “Phishing Emails: Phishing emails remain a widely used attack vector for malware distribution, including Lumma Stealer. Cybercriminals craft emails that appear to be from legitimate sources.”

Indicators of Compromise

  • [IOC Type] None explicitly listed – No IP addresses, domains, file hashes, or file names are provided in the article.

Read more: https://any.run/malware-trends/lumma

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint