FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT

A new variant of the Lumma Stealer malware is being distributed via a fake Telegram Premium website that automatically downloads a malicious executable to steal sensitive data such as browser credentials and cryptocurrency wallets. The campaign employs drive-by downloads, domain impersonation, and evasive network techniques, posing significant threats to Windows systems. #LummaStealer #TelegramPremium #DriveByDownload

Keypoints

A malicious campaign leverages the spoofed domain telegrampremium[.]app to deliver a new Lumma Stealer variant through an automatic download of ‘start.exe’.
The malware targets Windows operating systems, stealing browser credentials, cryptocurrency wallet details, and system information.
The executable uses obfuscation techniques such as packing with Cryptor to evade detection and employs extensive Windows API calls for file, registry, clipboard, and process manipulation.
Suspicious network activity includes DNS queries to DGA-generated domains and the use of Google’s public DNS to evade internal monitoring and maintain persistent command-and-control communication.
The campaign demonstrates advanced tactics like brand impersonation, drive-by downloads, and dynamic DLL loading to maintain persistence and evade analysis.
CYFIRMA recommends blocking the malicious domain and IP, performing endpoint scanning, credential rotation, and enhancing email, network, and endpoint security defenses.
Multiple IOCs including file hashes, suspicious domains, and IP addresses have been identified to facilitate incident response and mitigation.

MITRE Techniques

[T1047] Windows Management Instrumentation – Used to execute malware activities remotely and manage system components.
[T1059] Command and Scripting Interpreter – ShellExecuteW launches secondary payloads as part of malware execution.
[T1129] Shared Modules – Dynamic loading and unloading of DLLs via LoadLibraryExW and FreeLibrary enables stealthy code execution.
[T1112] Modify Registry – Registry keys and values are created and modified for persistence and configuration.
[T1198] Trust Provider Hijacking – Used to evade detection by manipulating trusted components.
[T1547] Boot or Logon AutoStart Execution – Malware achieves persistence through startup modifications including shortcut changes.
[T1547.009] Shortcut Modification – Alters shortcuts to ensure malware execution upon user login.
[T1055] Process Injection – Utilized for privilege escalation and anti-analysis techniques.
[T1006] Direct Volume Access – Accesses disk volumes directly to bypass security controls.
[T1027] Obfuscated Files or Information – Packing and obfuscation techniques increase difficulty of detection.
[T1027.002] Software Packing – Entropy suggests packing with Cryptor to evade static analysis.
[T1036] Masquerading – Malware disguises files and uses invalid code signatures to appear legitimate.
[T1036.001] Invalid Code Signature – Used to evade trust verification mechanisms.
[T1010] Application Window Discovery – GetForegroundWindow used to monitor active windows and capture user activity.
[T1012] Query Registry – The malware enumerates registry keys to discover system configuration.
[T1057] Process Discovery – Used to identify running processes for advanced attacks.
[T1063] Security Software Discovery – Detects installed security products to avoid detection or removal.
[T1082] System Information Discovery – Gathers detailed system metadata.
[T1115] Clipboard Data – Access and manipulate clipboard contents to steal information.
[T1125] Video Capture – Potential video capture capabilities referenced.
[T1071] Application Layer Protocol – Uses legitimate domains like t.me and steamcommunity.com for C2 communication.
[T1573] Encrypted Channel – Network communication secured via encryption to hinder monitoring.
[T1485] Data Destruction – Batch script used to delete original malware files after execution.
[T1529] System Shutdown/Reboot – Malware potentially capable of triggering system restarts to disrupt operations.

Indicators of Compromise

[Domain] Malicious delivery domain – telegrampremium[.]app (primary infection source), teijx[.]lat and prvqhm[.]shop among DGA domains monitored.
[IP Address] Hosting infrastructure – 87[.]120[.]126[.]213 (hosting telegrampremium[.]app, to be blocked).
[SHA256 Hash] Malicious executable sample – b97dcfb5161a59bd88fd821542e9d066c77c4ad49f09c81f472b26a5339f44f2 (blocklisted).
[SHA1 Hashes] Various samples related to campaign – for example, 9a5f72502fd9be56226716e6435888a43ff43154 (monitored), 7a77f579c6a4bda83d659be4e39ddfd7b7e2f73c (blocked), and several others tracked.
[File Name] Malicious executable – start.exe (primary malware file).
[YARA Rule] Detection signature – LummaStealer_TelegramPremium_Variant deploying multiple domains and IPs tied to the campaign.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print