LummaStealer Exploits Windows Utility to Run Remote Code Disguised as .mp4 File

The Cybereason Global Security Operations Center (GSOC) has shed light on the sophisticated tactics used by the LummaStealer malware to evade detection and execute malicious code.

Originally spotted in 2022, this Russian-developed malware-as-a-service (MaaS) has continuously evolved its evasion techniques to target Windows systems.

Advanced Evasion with mshta.exe

LummaStealer’s operators have introduced a new technique involving the exploitation of the Microsoft HTML Application Host (mshta.exe), a legitimate Windows utility, to execute remote code disguised as an innocuous .mp4 file.

This approach leverages trusted system processes to deliver and execute malicious payloads stealthily.

The malware uses a fake CAPTCHA page to socially engineer users into copying and pasting a script into the Windows Run dialog box.

Here, mshta.exe facilitates the execution of HTML Applications (HTA) files, which are operated outside the browser’s security context, thus bypassing many security measures.

The payload, hosted remotely and disguised as an MP4 file, contains heavily obfuscated JavaScript code.

This code, when executed, triggers a series of deobfuscation steps. Initially, it involves a hex-encoded payload which, upon decoding, reveals a PowerShell script.

This script is then run using PowerShell with unrestricted execution policies, allowing for the deployment of subsequent stages of the malware.

In its latest variant, LummaStealer employs memory injection techniques to bypass Antimalware Scan Interface (AMSI).

It scans memory regions, locates the AMSI signature, and overwrites it with a null byte array to disable detection capabilities temporarily.

According to the Report, this step is crucial for executing potentially harmful scripts without triggering security alarms.

Darknet Marketplace and Monetization

The operators of LummaStealer have set up an internal marketplace on Telegram, leveraging a bot (@lu****bot) for automated transactions of stolen user data.

This platform boasts features like a seller rating system, advanced search capabilities, and flexible pricing, making it a popular choice among cybercriminals.

The marketplace has seen a surge in activity, with logs traded ranging in price from $0.10 to as high as $1,000, indicating its extensive use for monetizing stolen data directly.

An analysis of the monthly updates for LummaStealer since its inception shows a significant shift in focus from development to monetization after the opening of their log market in August 2024.

This shift is characterized by fewer updates as the emphasis moved towards facilitating and enhancing the marketplace operations.

This detailed exposure of LummaStealer’s operations underlines the persistent evolution of cyber threats, necessitating constant vigilance and advanced security measures to protect against such sophisticated malware campaigns.

Indicators of Compromise (IOCs)

Below is a table of indicators of compromise shared by Cybereason to aid in the detection and prevention of LummaStealer infections:

IOC	Type	Description
klipderiq[.]shop	Domain	C2
check[.]qlkwr[.]com	Domain	C2
172[.]67[.]144[.]135	IP	C2
104[.]21[.]224	IP	C2
xian[.]klipderiq[.]shop	Domain	C2
simplerwebs[.]world	Domain	C2
…	…	…

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!