LummaStealer is a malware that primarily focuses on stealing sensitive information such as credentials and cryptocurrency wallets. It is often delivered via phishing sites that utilize CAPTCHAs prompting users to execute PowerShell scripts. The investigation of a compromised machine revealed complexities in the attack timeline, showing discrepancies in timestamps from various data sources. Affected: LummaStealer victims, Windows users, Cybersecurity sector
Keypoints :
- LummaStealer is offered mainly as a service for stealing sensitive information.
- It is typically delivered through phishing sites with CAPTCHAs prompting users to run a PowerShell script.
- The malware uses native binaries, including mshta.exe, to download and execute payloads.
- Initial access analysis revealed anomalies in website visit timestamps versus malware execution times.
- The investigation process utilized Windows Defender and PowerShell logs to trace the malwareβs infection path.
- Decoding techniques revealed the use of AES CBC encryption for parts of the PowerShell script.
- The malware includes functions to download files, decode data, and extract and execute binaries.
MITRE Techniques :
- T1203: Exploitation for Client Execution β Users are directed to execute a PowerShell script via a poisoned CAPTCHA.
- T1059.001: Command and Scripting Interpreter: PowerShell β The malware uses PowerShell scripts to perform actions and download additional payloads.
- T1566.001: Phishing: Spear Phishing Link β Utilizes phishing techniques to lure users into executing malicious scripts.
- T1047: Windows Management Instrumentation β Potential use in the PowerShell or mshta command execution.
Indicator of Compromise :
- [File Hash] tera15.zip MD5: 6A6A33B51AFC7590F53F8053C8066A85
- [File Hash] chkbkx.exe MD5: 77D841AF8AE0E94F305843F468FD35FA
Full Story: https://medium.com/@andrewss112/lummastealer-abcf2a681fbe?source=rssββmalware-5