Hackers Use Telegram Channels To Deliver Lumma Stealer Sophisticatedly

Lumma Stealer, a sophisticated information-stealing malware, is spreading through Telegram channels, exploiting the platform’s popularity to bypass traditional security measures and target unsuspecting users, potentially compromising sensitive data. 

The Telegram channel “hitbase,” with a significant subscriber count of 42,000, is actively distributing malicious software disguised as cracked software, as their last post, on November 3rd, likely contained a link to download this malware.

While the Telegram channel “sharmamod,” with 8.66k subscribers, last active on November 3rd, is distributing malware to unsuspecting users under the guise of legitimate content.

Telegram channels forward messages between each other and distribute fake crack software disguised as Trojan:Win/Lummastealer.SD, primarily targeting users in India, the USA, and Europe.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The file “CCleaner 2024.rar” contains malicious code disguised as legitimate Microsoft DLL files, which likely aims to compromise systems by exploiting vulnerabilities and potentially installing malware.

An analysis reveals that CCleaner 2024.exe employs a decryption mechanism to process two encrypted data blobs, AIOsncoiuuA and UserBuffer, using the keys Alco and key, which are likely crucial for the application’s functionality. 

The system uses two distinct encryption keys (Alco and Key) to secure sensitive data (AIOsncoiuuA and UserBuffer), where the decryption function is likely designed to decode this encrypted data using the appropriate key, revealing the original, unencrypted information. 

When a breakpoint analysis is performed, the data that has been decrypted and stored in the variable uiOAshyuxgYUA reveals the presence of process injection API calls within the memory that has been decrypted.

A multi-stage attack involving process injection into RegAsm.exe, where a breakpoint was set to capture the decrypted second-stage payload, which was identified as a Visual C++ compiled executable. 

According to McAfee, the payloads, “XTb9DOBjB3.exe” and “bTkEBBlC4H.exe,” are .NET files decrypted using the same method as the main “ccleaner” file, which are then written to the AppData Roaming folder, indicating potential post-infection activities.

The .NET file contains a 32-bit GUI PE that dynamically loads winhttp.dll. Base64-encoded strings within the PE are decoded and decrypted to retrieve plaintext data.

Malware disguises C2 server addresses as seemingly legitimate domains (“hxxps://snarlypagowo.site/api”) through obfuscation and retrieves the true address from a user’s Steam profile (“marshal-zhukov.com”) to exfiltrate data after establishing a connection. 

Runtime64.exe, a malicious .NET program, steals browser, FTP, email credentials, and system information by monitoring the clipboard for cryptocurrency wallet addresses using regex and replacing them for hijacking.

Indicators of Compromise

BLTools v4.5.5 New.rar	000756bedf4e95de6781a4193301123032e987aba33dcd55c5e2a9de20a77418
Blum Auto Bot Token.rar	06715881cd4694a0de28f8d2e3a8cc17939e83a4ca4dee2ebb3078fc25664180
Netflix Online Video 2024.rar	072aa67c14d047621e0065e8529fadd0aac1c1324e10e5d027c10073fffcd023
YouTube Downloader Version 2.1.6.rar	1724f486563c5715ce1fe989e8f4ca01890970816c5ffc2e5d0221e38cf9fdb9
Full Adobe Photoshop 2024 + CDkey.rar	174690d86d36c648a2d5a595bc8cfae70c157f00c750c36fd1a29f52011af5e2
Youtube Downloader Video 2024 Version.rar	18aca8b28750c9673f1c467f5eab1bbae4ad6c79f3fe598318c203c8e664d44f
ChatGPT-5 Version 2024 .rar	24a32d763e458e5440cb18f87685cc5626bf62cd9c3ca7bab10f0ced629708ee
Valorant Checker by Xinax 2024.rar	31a818c75d35bafc58c62c7522503f90be7b684803883e5f07c4cc16f517d1d0
Activation Windows 8,10,11 FULL + CDkey.rar	338ec6016db4eb95b15bc0822fc1d745f107ae0739a57b41ef10c9f64b6c8077
Ccleaner 2024.rar	3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b
CC Checker AcTeam 2024 New.rar	535650b613161c011086eab9d87189aa637f8575e52442db6e81602e67a2e4f4
Netflix mail access Checker 2024 New.rar	61a17a91ce2a98b455a50ff37b33368fe3b2f3a516cf94c5d7b18e386274557b
Paypal Checker New 2024 version.rar	840a255a184d3e819a07e3749b5e32da84f607ac7025366967d12dac0c5fa859
Free YouTube Downloader 2024.rar	9be6ea9ab019c7bd59fab7097ceb9cd465a6ae0c6b9a50d55432a0bfb5e1f184
Microsoft Office 2024 + CDkey.rar	a541b66785534bca646a7691c7a2a5630947ecbd4ee2544b19a5f8347f70f923
Crypto Seed Checker 2024 version.rar	ac5c6793354b2be799ce755828d72f65a0c2ea63ccc942208c22e893a251b52c
Phemex CryptoBot.rar	b53e0759fa11d6d31b837adf5c5ceda40dd01aa331aa42256282f9ca46531f25
SQLi Dumper v10.5.rar	ce8e7b2a6222aa8678f0c73bd29a9e3a358f464310002684d7c46b2b9e8dcf23
Cyber Ghost VPN + Key master.rar	d31520c4a77f01f0491ef5ecf03c487975182de7264d7dce0fb7988e0cea7248
AIO checker New Version 9.10.rar	d67cc175e2bb94e2006f2700c1b052123961f5f64a18a00c8787c4aa6071146f
Spotify Desktop Version 2024.rar	e71e23ad0e5e8b289f1959579fb185c34961a644d0e24a7466265bef07eab8ec
Nord VPN 2024 + Key.rar	fa34c20e1de65bfff3c0e60d25748927aa83d3ea9f4029e59aaedb4801220a54
Paysafecard Checker 2024 version.rar	fb60510e8595b773abde86f6f1792890978cd6efc924c187cb664d49ef05a250
TradingView 2024 New Version (Desktop).rar	fdc6ebf3968cd2dfcc8ad05202a847d7f8b2a70746800fd240e6c5136fcd34f6
Telegram channel	·      https[:]//t[.]me/hitbase
Telegram channel	·      https[:]//t[.]me/sharmamod
C2	marshal-zhukov.com

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free