Threat Research

Lumma Stealer: Tactics, Impact, and Defense Strategies – CYFIRMA

Cyfirma

Lumma Stealer is a sophisticated malware-as-a-service (MaaS) tool sold on Telegram and a dedicated site, designed to steal a broad range of data while using evasion techniques to avoid detection. It propagates via counterfeit antivirus sites, injects into legitimate Windows processes, and communicates with hardcoded C2 servers over encrypted channels to exfiltrate data. #LummaStealer #LummaC2 #Shamel #Telegram

Keypoints

  • Lumma Stealer operates as MaaS since at least August 2022 and is sold on Telegram and a dedicated website.
  • Written in C, it targets cryptocurrency wallets, browser data, emails, financial data, and more via advanced evasion techniques.
  • Distributes through counterfeit websites posing as legitimate software sources (e.g., Bitdefender clone).
  • Uses event-controlled write operations and encryption to conceal data and evade detection.
  • Performs process injection by creating a suspended process and injecting malicious code into a legitimate Windows process.
  • Communicates with multiple hardcoded C2 domains over TLS, exfiltrating data back to the attacker.
  • Indicators of Compromise include file hashes, domains, IPs, and a C2 URL; attribution links to a Russian-origin actor and MaaS community.

MITRE Techniques

  • [T1592] Gather Victim Host Information – DNS query to resolve the IP address of hardcoded domains and begin communicating with the first domain that resolves successfully. “The start DNS query/response … and begins communicating with the first domain that resolves successfully.”
  • [T1204.002] Malicious File – The subject sample is distributed as a free antivirus on a counterfeit site posing as Bitdefender. “The subject sample of this analysis is being distributed as a free version of antivirus on a counterfeit website posing as a Bitdefender product.”
  • [T1055] Process Injection – The malware creates a suspended BitLockerToGo.exe process, allocates memory, and performs injection by writing the malicious code. “creates a suspended process of BitLockerToGo.exe … allocates memory … and injects by writing the allocated memory with the malicious code.”
  • [T1622] Debugger Evasion – The malware uses debugger checks to evade analysis. “IsDebuggerPresent and OutputDebugString to detect the presence of a debugger.”
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis measures to avoid security research. “Detects debugger and analysis environment.”
  • [T1140] Deobfuscate/Decode Files or Information – Obfuscation techniques to hide data during transfer; deobfuscation may be implied in data handling. “custom obfuscation techniques … to conceal the stolen data over the network.”
  • [T1083] File and Directory Discovery – Scans for files containing keywords (seed.txt, pass.txt, etc.). “scans the compromised system for files containing keywords such as seed.txt, pass.txt, ledger.txt…”
  • [T1071.001] Web Protocols – C2 communications over TLS with hardcoded domains. “The communications are encrypted using TLS v1.2” and multiple domains used for C2.
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration to C2 over an encrypted channel. “exfiltrates data to the C2 server over an encrypted channel.”

Indicators of Compromise

  • [File] setup-win-x86-x64.exe.zip – 4b5450d05fe036f720cc7384f400b0fb, 91e268e53754fcaaab91a3ad32ca4f67fbfc4903e75733a7174d28e1b85dd190, and 2 more hashes
  • [File] setup-win-x86-x64.exe – 1a3657ef519e3d20930f400dd781dbb2, 3669c3c9c47a5e5c59f508976a2732aa1feabfa7c90d1912032e3426c30edde5
  • [Domain] C2 domains – alcojoldwograpciw.shop, productivelookewr.shop, and 5 more domains
  • [IP address] C2 IPs – 172.67.157.23, 104.21.48.243
  • [URL] https[:]//alcojoldwograpciw[.]shop/api – C2 endpoint

Read more: https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/