The eSentire Threat Response Unit (TRU) has identified significant updates in the Lumma Stealer malware that uses the ChaCha20 cipher for configuration decryption. This sophisticated information stealer employs the ClickFix technique for initial access and has evolved to avoid detection by existing tools. It’s crucial for organizations to implement recommended security measures to mitigate risks. Affected: cybersecurity sector, organizations using compromised systems
Keypoints :
- eSentire operates 24/7 SOCs staffed by elite threat hunters and cyber analysts.
- Discovery of the Lumma Stealer malware updates utilizing ChaCha20 cipher for config decryption.
- Lumma Stealer is distributed as a Malware-as-a-Service in underground Russian-speaking forums.
- The ClickFix method is commonly used for delivering Lumma Stealer, requiring social engineering.
- The TRU team isolated affected hosts and assisted customers in remediation efforts.
- Recommendations include disabling specific Windows scripts and enhancing email filtering.
MITRE Techniques :
- Initial Access (T1071.001) – Utilized ClickFix method to compromise victim’s systems.
- Credential Dumping (T1003.001) – Information stealer functionality to capture sensitive data.
- Command and Control (T1071) – ChaCha20 used for configuration decryption affecting C2 communication.
- Execution (T1203) – Malicious PowerShell commands executed through user social engineering.
- Defense Evasion (T1027) – Updates to Lumma Stealer’s techniques to avoid current detection tools.
Indicator of Compromise :
- SHA-256 7e286bb4491124116ba61ab0029b41862d502e4feee5420e0aa5ee4a29e722fa
Full Story: https://www.esentire.com/blog/lumma-stealer-malware-updated-to-use-chacha20-cipher-for-config-decryption