Tuesday, January 14, 2025
Homecyber securityHackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Published on

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious links within seemingly legitimate payment requests. 

This tactic aims to deceive recipients into opening the invoice, leading to:

  • Potential data breaches
  • Financial fraud
  • Unauthorized access to sensitive information

Cybersecurity researchers at Perception Point recently discovered and analyzed sophisticated malware dubbed “LUMMA” malware.

Basically Sandboxing technology can identify and isolate malicious software with precision and accuracy, protecting the system from potentially harmful malware.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Invoice to Deliver LUMMA Malware

Cybersecurity analysts identified that the attacker, posing as a financial services company in this campaign, tricks the target with a fake invoice email. 

Fake Invoice (Source – Perception Point)

The user is urged to click “View & Download Invoice,” but the provided website is unavailable. To maintain legitimacy, a valid website link is included that redirects users after the failed button click.

The attacker dodges detection using a fake page and a real link. Security scans miss malicious payload hidden behind error pages and innocent URLs. 

Clicking the link redirects to harmful URLs triggering automatic download of malicious files. The attacker breached a legitimate site to host a redirect. 

Besides this, the website code reveals multiple redirects to dangerous URLs, like hxxps://robertoscaia[.]com/eco, downloading malware through the “.exe” file generator.

Website code (Source – Perception Point)

LUMMA is an InfoStealer malware that is written in C language and spreads through Malware-as-a-Service. 

The attack features three processes, and here below, we have mentioned those processes: –

  • 1741[.]exe
  • RegSvcs[.]exe
  • wmpnscfg[.]exe

Notably, the “1741[.]exe” process runs from the user’s temp folder, raising suspicions due to legitimate programs not using this location.

Processes ‘RegSvcs[.]exe’ and ‘wmpnscfg.exe’ from unusual folders suggest suspicious behavior linked to malware. 

Parent processes with PIDs 1388, 3428, and 1388 add complexity, aiming to hide malicious activities.

Increasingly sophisticated threats demand constant security system evaluation.

This incident highlights the need for advanced prevention, continuous monitoring, and a multi-layered approach to detecting and countering evolving cyber threats.

IOCs

Main object – 3827.exe

  • md5 0563076ebdeaa2989ec50da564afa2bb
  • sha1 ac14e7468619ed486bf6c3d3570bea2cee082fbc
  • sha256 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b

Dropped executable file

  • sha256 C:\Users\admin\AppData\Local\Temp\Protect544cd51a.dll dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

DNS requests

  • domain taretool[.]pw

Connections

  • ip 104[.]21[.]21[.]50
  • ip 224[.]0[.]0[.]252

HTTP/HTTPS requests:

  • url hxxp://taretool[.]pw/api
  • url hxxp://www[.]patrickforeilly[.]com/eco/
  • url hxxps://www[.]patrickforeilly[.]com/eco/
  • url hxxps://www[.]robertoscaia[.]com/eco/
  • url hxxps://fuelrescue[.]ie/eco/
  • url hxxps://www[.]7-zip[.]org/a/7zr[.]exe

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...