The Cybereason Global Security Operations Center (GSOC) has shed light on the sophisticated tactics used by the LummaStealer malware to evade detection and execute malicious code.
Originally spotted in 2022, this Russian-developed malware-as-a-service (MaaS) has continuously evolved its evasion techniques to target Windows systems.
LummaStealer’s operators have introduced a new technique involving the exploitation of the Microsoft HTML Application Host (mshta.exe), a legitimate Windows utility, to execute remote code disguised as an innocuous .mp4 file.
This approach leverages trusted system processes to deliver and execute malicious payloads stealthily.
The malware uses a fake CAPTCHA page to socially engineer users into copying and pasting a script into the Windows Run dialog box.
Here, mshta.exe facilitates the execution of HTML Applications (HTA) files, which are operated outside the browser’s security context, thus bypassing many security measures.
The payload, hosted remotely and disguised as an MP4 file, contains heavily obfuscated JavaScript code.
This code, when executed, triggers a series of deobfuscation steps. Initially, it involves a hex-encoded payload which, upon decoding, reveals a PowerShell script.
This script is then run using PowerShell with unrestricted execution policies, allowing for the deployment of subsequent stages of the malware.
In its latest variant, LummaStealer employs memory injection techniques to bypass Antimalware Scan Interface (AMSI).
It scans memory regions, locates the AMSI signature, and overwrites it with a null byte array to disable detection capabilities temporarily.
According to the Report, this step is crucial for executing potentially harmful scripts without triggering security alarms.
The operators of LummaStealer have set up an internal marketplace on Telegram, leveraging a bot (@lu****bot) for automated transactions of stolen user data.
This platform boasts features like a seller rating system, advanced search capabilities, and flexible pricing, making it a popular choice among cybercriminals.
The marketplace has seen a surge in activity, with logs traded ranging in price from $0.10 to as high as $1,000, indicating its extensive use for monetizing stolen data directly.
An analysis of the monthly updates for LummaStealer since its inception shows a significant shift in focus from development to monetization after the opening of their log market in August 2024.
This shift is characterized by fewer updates as the emphasis moved towards facilitating and enhancing the marketplace operations.
This detailed exposure of LummaStealer’s operations underlines the persistent evolution of cyber threats, necessitating constant vigilance and advanced security measures to protect against such sophisticated malware campaigns.
Below is a table of indicators of compromise shared by Cybereason to aid in the detection and prevention of LummaStealer infections:
IOC | Type | Description |
---|---|---|
klipderiq[.]shop | Domain | C2 |
check[.]qlkwr[.]com | Domain | C2 |
172[.]67[.]144[.]135 | IP | C2 |
104[.]21[.]224 | IP | C2 |
xian[.]klipderiq[.]shop | Domain | C2 |
simplerwebs[.]world | Domain | C2 |
… | … | … |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem for…
Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs, which…
Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport while…
The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics sector,…
SonicWall has unveiled a new line of advanced firewalls and a comprehensive managed cybersecurity service…
Senior members of the World Uyghur Congress (WUC) living in exile were targeted with a…