CrowdStrike Intelligence identified a phishing domain, crowdstrike-office365[.]com, impersonating CrowdStrike and delivering malicious ZIP and RAR files containing an MSI loader that ultimately executes Lumma Stealer packed with CypherIt. The campaign, tied to a June 2024 Lumma Stealer distribution and a July 2024 Falcon sensor Windows issue fix, employs advanced social engineering including spam floods and vishing to deliver malware.
Keypoints
- The phishing domain crowdstrike-office365[.]com serves ZIP containing WidowsSystem-update.msi, a loader that leads to Lumma Stealer with CypherIt.
- Domain registration occurred on July 23, 2024, days after a CrowdStrike Falcon sensor content update on July 19, 2024.
- The MSI loader decoy installation (WidowsSystem-update.msi) leads to NSIS and AutoIt-based components that drop the final payload.
- NSIS/Open.cmd includes anti-analysis checks and a loader chain that deobfuscates via RC4 and LZNT1, targeting 32/64-bit systems.
- The final payload is Lumma Stealer, which exfiltrates data to its C2 server (iiaiyitre.pa) and shares additional C2 URLs; a June 2024 spam/vishing campaign is linked by infrastructure.
- Defensive guidance includes using official update channels, training, certificate checks, download protections, and blocking AutoIt-based executables where feasible.
MITRE Techniques
- [T1566] Phishing β The malicious MSI is distributed via a phishing domain. βThe domain crowdstrike-office365[.]com served a ZIP file β¦ that contains the Microsoft Installer (MSI) file WidowsSystem-update.msi.β
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell β The NSIS installer contains a batch script that deletes the malware if security products are detected. βThe NSIS installer contains a batch script loader named Open.cmd β¦ which lists processes related to security products by invoking the Windows command tasklist.β
- [T1204] User Execution β The user is prompted to install the malicious executable, which masquerades as an MSI file. βThe user is prompted to install the malicious executable, which masquerades as an MSI file.β
- [T1027.002] Obfuscated Files or Information: Software Packing β Lumma Stealer is packed using CipherIT.
- [T1041] Exfiltration Over C2 Channel β Lumma Stealer sends all exfiltrated data to its C2 server.
Indicators of Compromise
- [URL] Hosting URL β https[:]//crowdstrike-office365[.]com/go[.]microsoft.crowdstrike-office365[.]com/download.html
- [Domain] Phishing Domain β crowdstrike-office365[.]com
- [Hash] Lumma Stealer SHA256 β d669078a7cdcf71fb3f2c077d43f7f9c9fdbdb9af6f4d454d23a718c6286302a
- [Domain] Lumma Stealer C2 URLs β iiaiyitre[.]pa, indexterityszcoxp[.]shop, and 14 more items
- [Hash] Compiled AutoIt Script containing Lumma Stealer (k) β 66ad1c04ebb970f2494f2f30b45d6a83c2f3a2bb663565899f57bb5422851518
- [Hash] NSIS installer containing AutoIt Script (SymposiumTaiwan.exe) β c1e27b2e7db4fba9f011317ff86b0d638fe720b945e933b286bb3cf6cdb60b6f
- [Hash] Batch script loader in NSIS installer (Open.cmd) β 6217436a326d1abcd78a838d60ab5de1fee8a62cda9f0d49116f9c36dc29d6fa
- [Hash] Self-extracting archive containing AutoIt Script (plenrco.exe) β c3e50ca693f88678d1a6e05c870f605d18ad2ce5cfec6064b7b2fe81716d40b0
- [Hash] RC4-encrypted final payload (Lumma Stealer) β (payload hash not shown beyond d669078a7cdcf71fb3f2c077d43f7f9c9fdbdb9af6f4d454d23a718c6286302a)
- [File] Dicks.pif β filename observed in the NSIS loader
- [File] k β filename for the compiled AutoIt script
Read more: https://www.crowdstrike.com/blog/lumma-stealer-with-cypherit-phishing-lure/