ESET takes part in global operation to disrupt Lumma Stealer

MITRE Techniques

• [T1587.001] Develop Capabilities: Malware – Lumma Stealer operators actively developed and enhanced the malware to maintain service quality (“Lumma Stealer operators actively developed their malware as a product for their service.”)
• [T1583.001] Acquire Infrastructure: Domains – Operators registered numerous C&C domains to support exfiltration infrastructure (“Lumma Stealer operators registered domains for their exfiltration infrastructure.”)
• [T1583.006] Acquire Infrastructure: Web Services – Utilization of Cloudflare and public services for hiding real C&C servers (“Lumma Stealer used Cloudflare services to hide their infrastructure… hidden in dummy Steam profiles or Telegram channels.”)
• [T1059.003] Command-Line Interface: Windows Command Shell – Execution of cmd.exe for cleanup tasks (“Lumma Stealer executes cmd.exe to delete temporary files.”)
• [T1106] Native API – Usage of Windows API calls such as VirtualAlloc and LoadLibraryA within malware operations.
• [T1204.001] User Execution: Malicious Link – Offering LNK packing features to facilitate execution by victims (“Lumma Stealer operators offer a simple LNK packing feature for their malware builds.”)
• [T1047] Windows Management Instrumentation – Using WMI queries to gather system information about the victim machine.
• [T1622] Debugger Evasion – Checking for presence of debugging tools to evade analysis.
• [T1140] Deobfuscate/Decode Files or Information – ChaCha20 encryption used to protect C&C lists and dynamic configurations (“Lumma Stealer uses ChaCha20 for C&C list and dynamic config encryption.”)
• [T1027.007] Obfuscated Files or Information: Dynamic API Resolution – Resolving imports at runtime using FNV-1a hashing with custom parameters.
• [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Encrypting important strings via stack strings or ChaCha20 to hinder static analysis.
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Harvesting web browser stored credentials from multiple browsers.
• [T1539] Steal Web Session Cookie – Stealing session cookies for hijacking web sessions.
• [T1217] Browser Bookmark Discovery – Collecting information on victim’s installed browsers.
• [T1012] Query Registry – Querying Windows registry to collect installed software data.
• [T1057] Process Discovery – Sending process lists to C&C servers.
• [T1518] Software Discovery – Reporting installed software to the malware operators.
• [T1082] System Information Discovery – Exfiltrating system info including hostname and OS versions.
• [T1124] System Time Discovery – Retrieving system time and time zone information.
• [T1560] Archive Collected Data – Compressing collected data before exfiltration.
• [T1119] Automated Collection – Fully automated data collection guided by downloaded configurations.
• [T1113] Screen Capture – Taking screenshots based on dynamic config parameters.
• [T1005] Data from Local System – Collecting local files and application data.
• [T1071.001] Application Layer Protocol: Web Protocols – Communication with C&C servers over HTTPS.
• [T1132.001] Data Encoding: Standard Encoding – Use of base64 encoding for C&C configuration retrieval.
• [T1573.001] Encrypted Channel: Symmetric Cryptography – Use of ChaCha20 encryption alongside HTTPS.
• [T1008] Fallback Channels – Backup communication channels via dead-drop resolvers.
• [T1102.001] Web Service: Dead Drop Resolver – Use of public web services (Steam profiles, Telegram channels) to retrieve C&C info.
• [T1020] Automated Exfiltration – Automated credential and data exfiltration over C&C.
• [T1041] Exfiltration Over C2 Channel – Data exfiltration conducted via the C&C communication channel.