The article discusses the Lumma Stealer infostealer malware, highlighting its distribution mechanisms, the sharing of its logs on hacking forums, and its connections to phishing campaigns, particularly through platforms like YouTube. It emphasizes the need for industry-wide cybersecurity measures to combat the increasing spread of this malware which significantly impacts users, organizations, and various online platforms. Affected: YouTube, Cloudflare, MediaFire, BreachForums, infected users
Keypoints :
- Lumma Stealer logs are shared for free on Leaky[.]pro.
- The malware spreads through video-sharing and file-sharing platforms, including disguised links on YouTube.
- It targets sensitive information such as login credentials, browser data, and financial information.
- Threat analysts have observed patterns in Lumma Stealerβs command and control infrastructure.
- Phishing campaigns are exploiting large user bases via malicious advertisements and spam emails.
- Users are advised to be cautious while engaging with unverified YouTube content.
- Lumma Stealer is linked to other malware like SecTopRAT.
- Silent Push provides IOFA feeds for tracking Lumma Stealer-related threats.
MITRE Techniques :
- T1071: Application Layer Protocol β Lumma Stealer utilizes application layer protocols for command and control communication.
- T1070: Indicator Removal on Host β Malware may obfuscate its activities to avoid detection by security systems.
- T1491: Resource Development β Threat actors register multiple domains quickly for C2 infrastructure.
- T1078: Valid Accounts β Use of compromised accounts is common in facilitating attacks linked to Lumma Stealer.
- T1583: Acquire Infrastructure β The registration of clusters of domains is a key tactic employed by Lumma Stealer operators.
Indicator of Compromise :
- [IP Address] 213.252.244[.]62
- [Domain] c3.digital-odyssey[.]shop
- [Domain] docu-signer[.]com
- [Domain] roxplo1ts[.]ws:443/wave
- [Domain] techetrs[.]icu
Full Story: https://www.silentpush.com/blog/lumma-stealer/