LummApp Campaign Abuses OBS Software to Execute Infostealer via DLL Sideloading

MITRE Techniques

• [T1574.001] DLL Side-Loading – The campaign places a malicious DLL in AppData and relies on vulnerable signed executables to load it (‘vulnerable to a DLL sideloading exploit’ / ‘By exploiting legitimate DLLs associated with trusted OBS-signed files’).
• [T1059.001] PowerShell – Attack stages execute heavily obfuscated and encoded PowerShell commands to download and reconstruct the browser extension (‘Executes encoded PowerShell commands as part of the attack’s next stage to deploy malicious browser extension’).
• [T1055] Process Injection – The malicious DLL injects a Lummac2 executable into explorer.exe to run subsequent payloads under a trusted process (‘the malicious DLL injects a Lummac2 executable into explorer.exe’).
• [T1113] Screen Capture – The injected process captures screenshots of the host environment as part of data collection (‘Takes a screenshot of the host environment’).
• [T1555.003] Credentials from Web Browsers – The malware extracts cookies and stored passwords from installed browsers (‘Extracts cookies and stored user passwords from installed web browsers’).
• [T1041] Exfiltration Over C2 Channel – Collected data is sent to attacker-controlled domains for remote retrieval (‘The collected data is then exfiltrated to external domains… Gulbur[.]com, Hit-bone[.]com, L-back[.]com, Livedjudhr[.]cyou’).
• [T1218] Signed Binary Proxy Execution – The MSI runs a signed executable from a trusted vendor which is used to load the malicious DLL (‘the MSI file runs a signed executable from a trusted, well-known company’).
• [T1189] Drive-by Compromise – Initial distribution leverages downloads from cracked-software and torrent sites, redirecting users to Mega.nz ZIPs containing the malicious MSI (‘The attack begins on websites hosting cracked software and torrents… a Mega.nz link, which provides a ZIP file for download’).