Friday, December 27, 2024
HomeCyber Security NewsHackers Use Telegram Channels To Deliver Lumma Stealer Sophisticatedly

Hackers Use Telegram Channels To Deliver Lumma Stealer Sophisticatedly

Published on

SIEM as a Service

Lumma Stealer, a sophisticated information-stealing malware, is spreading through Telegram channels, exploiting the platform’s popularity to bypass traditional security measures and target unsuspecting users, potentially compromising sensitive data. 

The Telegram channel “hitbase,” with a significant subscriber count of 42,000, is actively distributing malicious software disguised as cracked software, as their last post, on November 3rd, likely contained a link to download this malware.

While the Telegram channel “sharmamod,” with 8.66k subscribers, last active on November 3rd, is distributing malware to unsuspecting users under the guise of legitimate content.

- Advertisement - SIEM as a Service
telegram channel offering malware to benign users.

Telegram channels forward messages between each other and distribute fake crack software disguised as Trojan:Win/Lummastealer.SD, primarily targeting users in India, the USA, and Europe.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The file “CCleaner 2024.rar” contains malicious code disguised as legitimate Microsoft DLL files, which likely aims to compromise systems by exploiting vulnerabilities and potentially installing malware.

An analysis reveals that CCleaner 2024.exe employs a decryption mechanism to process two encrypted data blobs, AIOsncoiuuA and UserBuffer, using the keys Alco and key, which are likely crucial for the application’s functionality. 

CCleaner 2024.exe is a .NET application

The system uses two distinct encryption keys (Alco and Key) to secure sensitive data (AIOsncoiuuA and UserBuffer), where the decryption function is likely designed to decode this encrypted data using the appropriate key, revealing the original, unencrypted information. 

When a breakpoint analysis is performed, the data that has been decrypted and stored in the variable uiOAshyuxgYUA reveals the presence of process injection API calls within the memory that has been decrypted.

A multi-stage attack involving process injection into RegAsm.exe, where a breakpoint was set to capture the decrypted second-stage payload, which was identified as a Visual C++ compiled executable. 

Stage1 is a V C++ compiled file.

According to McAfee, the payloads, “XTb9DOBjB3.exe” and “bTkEBBlC4H.exe,” are .NET files decrypted using the same method as the main “ccleaner” file, which are then written to the AppData Roaming folder, indicating potential post-infection activities.

The .NET file contains a 32-bit GUI PE that dynamically loads winhttp.dll. Base64-encoded strings within the PE are decoded and decrypted to retrieve plaintext data.

Malware disguises C2 server addresses as seemingly legitimate domains (“hxxps://snarlypagowo.site/api”) through obfuscation and retrieves the true address from a user’s Steam profile (“marshal-zhukov.com”) to exfiltrate data after establishing a connection. 

Runtime64.exe, a malicious .NET program, steals browser, FTP, email credentials, and system information by monitoring the clipboard for cryptocurrency wallet addresses using regex and replacing them for hijacking.

Indicators of Compromise

BLTools v4.5.5 New.rar000756bedf4e95de6781a4193301123032e987aba33dcd55c5e2a9de20a77418
Blum Auto Bot Token.rar06715881cd4694a0de28f8d2e3a8cc17939e83a4ca4dee2ebb3078fc25664180
Netflix Online Video 2024.rar072aa67c14d047621e0065e8529fadd0aac1c1324e10e5d027c10073fffcd023
YouTube Downloader Version 2.1.6.rar1724f486563c5715ce1fe989e8f4ca01890970816c5ffc2e5d0221e38cf9fdb9
Full Adobe Photoshop 2024 + CDkey.rar174690d86d36c648a2d5a595bc8cfae70c157f00c750c36fd1a29f52011af5e2
Youtube Downloader Video 2024 Version.rar18aca8b28750c9673f1c467f5eab1bbae4ad6c79f3fe598318c203c8e664d44f
ChatGPT-5 Version 2024 .rar24a32d763e458e5440cb18f87685cc5626bf62cd9c3ca7bab10f0ced629708ee
Valorant Checker by Xinax 2024.rar31a818c75d35bafc58c62c7522503f90be7b684803883e5f07c4cc16f517d1d0
Activation Windows 8,10,11 FULL + CDkey.rar338ec6016db4eb95b15bc0822fc1d745f107ae0739a57b41ef10c9f64b6c8077
Ccleaner 2024.rar3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b
CC Checker AcTeam 2024 New.rar535650b613161c011086eab9d87189aa637f8575e52442db6e81602e67a2e4f4
Netflix mail access Checker 2024 New.rar61a17a91ce2a98b455a50ff37b33368fe3b2f3a516cf94c5d7b18e386274557b
Paypal Checker New 2024 version.rar840a255a184d3e819a07e3749b5e32da84f607ac7025366967d12dac0c5fa859
Free YouTube Downloader 2024.rar9be6ea9ab019c7bd59fab7097ceb9cd465a6ae0c6b9a50d55432a0bfb5e1f184
Microsoft Office 2024 + CDkey.rara541b66785534bca646a7691c7a2a5630947ecbd4ee2544b19a5f8347f70f923
Crypto Seed Checker 2024 version.rarac5c6793354b2be799ce755828d72f65a0c2ea63ccc942208c22e893a251b52c
Phemex CryptoBot.rarb53e0759fa11d6d31b837adf5c5ceda40dd01aa331aa42256282f9ca46531f25
SQLi Dumper v10.5.rarce8e7b2a6222aa8678f0c73bd29a9e3a358f464310002684d7c46b2b9e8dcf23
Cyber Ghost VPN + Key master.rard31520c4a77f01f0491ef5ecf03c487975182de7264d7dce0fb7988e0cea7248
AIO checker New Version 9.10.rard67cc175e2bb94e2006f2700c1b052123961f5f64a18a00c8787c4aa6071146f
Spotify Desktop Version 2024.rare71e23ad0e5e8b289f1959579fb185c34961a644d0e24a7466265bef07eab8ec
Nord VPN 2024 + Key.rarfa34c20e1de65bfff3c0e60d25748927aa83d3ea9f4029e59aaedb4801220a54
Paysafecard Checker 2024 version.rarfb60510e8595b773abde86f6f1792890978cd6efc924c187cb664d49ef05a250
TradingView 2024 New Version (Desktop).rarfdc6ebf3968cd2dfcc8ad05202a847d7f8b2a70746800fd240e6c5136fcd34f6
Telegram channel·      https[:]//t[.]me/hitbase 
Telegram channel Â·      https[:]//t[.]me/sharmamod 
C2marshal-zhukov.com

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free

Latest articles

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly...

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which...

Adobe Warns of ColdFusion Vulnerability Allows Attackers Read arbitrary files

Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to...

Beware of New Malicious PyPI packages That Steals Login Details

Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly...

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which...

Adobe Warns of ColdFusion Vulnerability Allows Attackers Read arbitrary files

Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to...