Cyber Security News

LummaStealer Exploits Windows Utility to Run Remote Code Disguised as .mp4 File

The Cybereason Global Security Operations Center (GSOC) has shed light on the sophisticated tactics used by the LummaStealer malware to evade detection and execute malicious code.

Originally spotted in 2022, this Russian-developed malware-as-a-service (MaaS) has continuously evolved its evasion techniques to target Windows systems.

Advanced Evasion with mshta.exe

LummaStealer’s operators have introduced a new technique involving the exploitation of the Microsoft HTML Application Host (mshta.exe), a legitimate Windows utility, to execute remote code disguised as an innocuous .mp4 file.

This approach leverages trusted system processes to deliver and execute malicious payloads stealthily.

The malware uses a fake CAPTCHA page to socially engineer users into copying and pasting a script into the Windows Run dialog box.

Here, mshta.exe facilitates the execution of HTML Applications (HTA) files, which are operated outside the browser’s security context, thus bypassing many security measures.

LummaStealer LummaStealer
mshta

The payload, hosted remotely and disguised as an MP4 file, contains heavily obfuscated JavaScript code.

This code, when executed, triggers a series of deobfuscation steps. Initially, it involves a hex-encoded payload which, upon decoding, reveals a PowerShell script.

This script is then run using PowerShell with unrestricted execution policies, allowing for the deployment of subsequent stages of the malware.

In its latest variant, LummaStealer employs memory injection techniques to bypass Antimalware Scan Interface (AMSI).

It scans memory regions, locates the AMSI signature, and overwrites it with a null byte array to disable detection capabilities temporarily.

According to the Report, this step is crucial for executing potentially harmful scripts without triggering security alarms.

Darknet Marketplace and Monetization

The operators of LummaStealer have set up an internal marketplace on Telegram, leveraging a bot (@lu****bot) for automated transactions of stolen user data.

powershell

This platform boasts features like a seller rating system, advanced search capabilities, and flexible pricing, making it a popular choice among cybercriminals.

The marketplace has seen a surge in activity, with logs traded ranging in price from $0.10 to as high as $1,000, indicating its extensive use for monetizing stolen data directly.

An analysis of the monthly updates for LummaStealer since its inception shows a significant shift in focus from development to monetization after the opening of their log market in August 2024.

This shift is characterized by fewer updates as the emphasis moved towards facilitating and enhancing the marketplace operations.

This detailed exposure of LummaStealer’s operations underlines the persistent evolution of cyber threats, necessitating constant vigilance and advanced security measures to protect against such sophisticated malware campaigns.

Indicators of Compromise (IOCs)

Below is a table of indicators of compromise shared by Cybereason to aid in the detection and prevention of LummaStealer infections:

IOCTypeDescription
klipderiq[.]shopDomainC2
check[.]qlkwr[.]comDomainC2
172[.]67[.]144[.]135IPC2
104[.]21[.]224IPC2
xian[.]klipderiq[.]shopDomainC2
simplerwebs[.]worldDomainC2

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95% of…

14 hours ago

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications to…

15 hours ago

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a widely…

15 hours ago

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of global…

15 hours ago

Hackers Use Fake OneNote Login to Capture Office365 and Outlook Credentials

A recent investigation by security analysts has uncovered a persistent phishing campaign targeting Italian and…

16 hours ago

Hackers Exploit Craft CMS Vulnerability to Inject Cryptocurrency Miner Malware

Threat actors have exploited a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32432, in…

16 hours ago