Threat Research

Behind the Attack: LUMMA Malware – Perception Point

Securonix

Perception Point researchers uncovered a sophisticated attack delivering LUMMA, an InfoStealer malware, via a compromised legitimate site and chained redirects designed to bypass threat detection. The campaign uses a fake invoice lure, dual links to appear legitimate, and a JavaScript payload that triggers the download, with three suspicious processes (1741.exe, RegSvcs.exe, wmpnscfg.exe) to obfuscate execution. #LUMMA #InfoStealer #MalwareAsAService #taretool #robertoscaia #patrickforeilly

Keypoints

  • Impersonation of a financial services company with a fake invoice to lure victims into clicking a download link.
  • User is directed through a two-link scheme — one to an unavailable page and a second to a legitimate site — to evade static detection.
  • attacker hosts a malicious redirect on a compromised legitimate site, enabling chained redirects to a JavaScript payload.
  • A JavaScript file is downloaded automatically after following the website link, delivering the malware payload.
  • The malware used is LUMMA, distributed via Malware-as-a-Service, and executed through three processes to complicate detection: 1741.exe, RegSvcs.exe, and wmpnscfg.exe.
  • MITRE ATT&CK-like techniques cited include Execution, Query Registry, and System Information Discovery, illustrating discovery and execution phases.

MITRE Techniques

  • [T1204] Execution – Execution of LUMMA InfoStealer via three processes (1741.exe, RegSvcs.exe, wmpnscfg.exe) to obfuscate payload. “The malware used in this attack is LUMMA, an InfoStealer malware written in C language and distributed through a Malware-as-a-Service model.”
  • [T1012] Query Registry – Registry-related discovery mentioned in the article’s MITRE mapping. “T1012 Query Registry”
  • [T1082] System Information Discovery – System information gathering referenced in the MITRE mapping. “T1082 System Information Discovery”

Indicators of Compromise

  • [File] Main object – 3827.exe – md5 0563076ebdeaa2989ec50da564afa2bb, sha1 ac14e7468619ed486bf6c3d3570bea2cee082fbc, sha256 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b
  • [File] Dropped executable file – C:UsersAdminAppDataLocalTempProtect544cd51a.dll – dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
  • [Domain] DNS requests – taretool.pw
  • [IP] Connections – 104.21.21.50, 224.0.0.252
  • [URL] HTTP/HTTPS requests – http://taretool.pw/api, http://www.patrickforeilly.com/eco/, https://www.patrickforeilly.com/eco/, https://www.robertoscaia.com/eco/, https://fuelrescue.ie/eco/, https://www.7-zip.org/a/7zr.exe

Read more: https://perception-point.io/blog/behind-the-attack-lumma-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint