Cyber Security News

LummaStealer Exploits Windows Utility to Run Remote Code Disguised as .mp4 File

The Cybereason Global Security Operations Center (GSOC) has shed light on the sophisticated tactics used by the LummaStealer malware to evade detection and execute malicious code.

Originally spotted in 2022, this Russian-developed malware-as-a-service (MaaS) has continuously evolved its evasion techniques to target Windows systems.

Advanced Evasion with mshta.exe

LummaStealer’s operators have introduced a new technique involving the exploitation of the Microsoft HTML Application Host (mshta.exe), a legitimate Windows utility, to execute remote code disguised as an innocuous .mp4 file.

This approach leverages trusted system processes to deliver and execute malicious payloads stealthily.

The malware uses a fake CAPTCHA page to socially engineer users into copying and pasting a script into the Windows Run dialog box.

Here, mshta.exe facilitates the execution of HTML Applications (HTA) files, which are operated outside the browser’s security context, thus bypassing many security measures.

LummaStealer LummaStealer
mshta

The payload, hosted remotely and disguised as an MP4 file, contains heavily obfuscated JavaScript code.

This code, when executed, triggers a series of deobfuscation steps. Initially, it involves a hex-encoded payload which, upon decoding, reveals a PowerShell script.

This script is then run using PowerShell with unrestricted execution policies, allowing for the deployment of subsequent stages of the malware.

In its latest variant, LummaStealer employs memory injection techniques to bypass Antimalware Scan Interface (AMSI).

It scans memory regions, locates the AMSI signature, and overwrites it with a null byte array to disable detection capabilities temporarily.

According to the Report, this step is crucial for executing potentially harmful scripts without triggering security alarms.

Darknet Marketplace and Monetization

The operators of LummaStealer have set up an internal marketplace on Telegram, leveraging a bot (@lu****bot) for automated transactions of stolen user data.

powershell

This platform boasts features like a seller rating system, advanced search capabilities, and flexible pricing, making it a popular choice among cybercriminals.

The marketplace has seen a surge in activity, with logs traded ranging in price from $0.10 to as high as $1,000, indicating its extensive use for monetizing stolen data directly.

An analysis of the monthly updates for LummaStealer since its inception shows a significant shift in focus from development to monetization after the opening of their log market in August 2024.

This shift is characterized by fewer updates as the emphasis moved towards facilitating and enhancing the marketplace operations.

This detailed exposure of LummaStealer’s operations underlines the persistent evolution of cyber threats, necessitating constant vigilance and advanced security measures to protect against such sophisticated malware campaigns.

Indicators of Compromise (IOCs)

Below is a table of indicators of compromise shared by Cybereason to aid in the detection and prevention of LummaStealer infections:

IOCTypeDescription
klipderiq[.]shopDomainC2
check[.]qlkwr[.]comDomainC2
172[.]67[.]144[.]135IPC2
104[.]21[.]224IPC2
xian[.]klipderiq[.]shopDomainC2
simplerwebs[.]worldDomainC2

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem for…

23 minutes ago

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs, which…

27 minutes ago

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport while…

35 minutes ago

160-Year-Old Haulage Firm Falls After Cyber-Attack: Director Issues Urgent Warning

The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics sector,…

40 minutes ago

SonicWall Unveils New Firewalls and Comprehensive Managed Cybersecurity Service

SonicWall has unveiled a new line of advanced firewalls and a comprehensive managed cybersecurity service…

45 minutes ago

China-Backed Hackers Target Exiled Uyghur Community with Malicious Software

Senior members of the World Uyghur Congress (WUC) living in exile were targeted with a…

49 minutes ago