Wednesday, October 16, 2024
Homecyber securityHackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Published on

Malware protection

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious links within seemingly legitimate payment requests. 

This tactic aims to deceive recipients into opening the invoice, leading to:

  • Potential data breaches
  • Financial fraud
  • Unauthorized access to sensitive information

Cybersecurity researchers at Perception Point recently discovered and analyzed sophisticated malware dubbed “LUMMA” malware.

- Advertisement - SIEM as a Service

Basically Sandboxing technology can identify and isolate malicious software with precision and accuracy, protecting the system from potentially harmful malware.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Invoice to Deliver LUMMA Malware

Cybersecurity analysts identified that the attacker, posing as a financial services company in this campaign, tricks the target with a fake invoice email. 

Fake Invoice (Source – Perception Point)

The user is urged to click “View & Download Invoice,” but the provided website is unavailable. To maintain legitimacy, a valid website link is included that redirects users after the failed button click.

The attacker dodges detection using a fake page and a real link. Security scans miss malicious payload hidden behind error pages and innocent URLs. 

Clicking the link redirects to harmful URLs triggering automatic download of malicious files. The attacker breached a legitimate site to host a redirect. 

Besides this, the website code reveals multiple redirects to dangerous URLs, like hxxps://robertoscaia[.]com/eco, downloading malware through the “.exe” file generator.

Website code (Source – Perception Point)

LUMMA is an InfoStealer malware that is written in C language and spreads through Malware-as-a-Service. 

The attack features three processes, and here below, we have mentioned those processes: –

  • 1741[.]exe
  • RegSvcs[.]exe
  • wmpnscfg[.]exe

Notably, the “1741[.]exe” process runs from the user’s temp folder, raising suspicions due to legitimate programs not using this location.

Processes ‘RegSvcs[.]exe’ and ‘wmpnscfg.exe’ from unusual folders suggest suspicious behavior linked to malware. 

Parent processes with PIDs 1388, 3428, and 1388 add complexity, aiming to hide malicious activities.

Increasingly sophisticated threats demand constant security system evaluation.

This incident highlights the need for advanced prevention, continuous monitoring, and a multi-layered approach to detecting and countering evolving cyber threats.

IOCs

Main object – 3827.exe

  • md5 0563076ebdeaa2989ec50da564afa2bb
  • sha1 ac14e7468619ed486bf6c3d3570bea2cee082fbc
  • sha256 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b

Dropped executable file

  • sha256 C:\Users\admin\AppData\Local\Temp\Protect544cd51a.dll dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

DNS requests

  • domain taretool[.]pw

Connections

  • ip 104[.]21[.]21[.]50
  • ip 224[.]0[.]0[.]252

HTTP/HTTPS requests:

  • url hxxp://taretool[.]pw/api
  • url hxxp://www[.]patrickforeilly[.]com/eco/
  • url hxxps://www[.]patrickforeilly[.]com/eco/
  • url hxxps://www[.]robertoscaia[.]com/eco/
  • url hxxps://fuelrescue[.]ie/eco/
  • url hxxps://www[.]7-zip[.]org/a/7zr[.]exe

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...