Trend Micro’s Managed XDR team investigated a campaign distributing Lumma Stealer through GitHub, where attackers exploited the platform’s release infrastructure to deliver various malware, including SectopRAT, Vidar, and Cobeacon. The attackers used trusted URLs for initial access, leading to data exfiltration and command execution. The tactics displayed similarities to the Stargazer Goblin group. Proactive security measures, including URL validation and endpoint protection, are recommended to mitigate such threats. Affected: GitHub
Keypoints :
- Trend Micro’s Managed XDR team uncovered a campaign distributing Lumma Stealer via GitHub.
- Attackers exploited GitHub’s release infrastructure to deliver multiple malware types.
- Initial access was achieved through file downloads from secure URLs.
- Malware exfiltrated sensitive data and connected to external command-and-control servers.
- Techniques such as PowerShell scripts and Shell commands were used for persistence.
- Overlap with tactics used by the Stargazer Goblin group was noted.
- Proactive security measures are essential for defense against such threats.
MITRE Techniques :
- Initial Access (T1071.001): Attackers leveraged GitHub’s release infrastructure to deliver malware.
- Execution (T1203): Malicious files executed upon download, leading to further malware deployment.
- Persistence (T1050): PowerShell scripts and Shell commands were used to maintain access.
- Exfiltration (T1041): Sensitive data was exfiltrated to external servers controlled by attackers.
- Command and Control (T1071): Malware communicated with command-and-control servers for further instructions.
Indicator of Compromise :
- [url] hxxp://192[.]142[.]10[.]246/login.php
- [url] hxxp://84[.]200[.]24[.]26/login.php
- [url] hxxps://github[.]com/magupdate
- [url] hxxps://github[.]com/yesfound
- [url] hxxps://ikores[.]sbs
- Check the article for all found IoCs.
Full Research: https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html