Lumma Stealer: A Deep Dive into the Growing Malware Family

Lumma Stealer, also called LummaC2, is a type of malicious software that emerged in 2022. Its main goal is to steal sensitive information, such as passwords stored in web browsers, cryptocurrency wallets, and other valuable data. To trick users into executing the malware, Lumma Stealer uses tactics like fake CAPTCHA pages. Once activated, it can send the stolen data to a Command-and-Control (C2) server and may even download additional malware.

How Does Lumma Stealer Spread?

Lumma Stealer spreads through several methods, making it a highly adaptable and dangerous threat:

• Phishing Emails: Cybercriminals send emails with malicious attachments or links. When clicked, they download and install the malware on the victim's device.

• Fake CAPTCHA Pages: Users are deceived into completing fake CAPTCHA challenges, which then execute the malware.

• Drive-by Downloads: The malware installs when users visit compromised websites or click on harmful links.

• Bundled Downloads: Lumma Stealer is hidden within other software installs, such as free or pirated apps, without the user's knowledge.

• Malicious Downloads: It can spread through cracked installations of popular open-source or paid apps.

Infection Chain:

LummaStealer is a sophisticated malware that uses a multi-stage infection process to compromise systems and steal sensitive information. Here's a detailed look at each step of the LummaStealer infection chain:

Initial Vector:

The infection usually starts with a phishing email. These emails often contain a malicious attachment, intended to entice the recipient into opening it. In this case, it's a PS1 script. Once opened, these scripts can execute harmful code on the recipient's device, resulting in various types of malware infections, data theft, or unauthorized access. Let's investigate further to determine if it contains any embedded executable files.

Meanwhile, Let’s understand What PowerShell will do?

PowerShell scripts are commonly used to automate tasks and manage systems in Windows environments. However, they can also be misused for malicious purposes, such as deploying malware like LummaStealer.

It's crucial to exercise caution with any unfamiliar or unexpected PowerShell scripts, particularly if they originate from untrusted sources, as they have the potential to execute harmful actions on your system.

Embedded PowerShell Script: 

The PowerShell script contains Base64 encoded content, which it uses to drop a ZIP file in the %AppData% location. Hard-coding this encoded content is challenging due to its substantial size.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass 
C:\Users\admin\AppData\Local\Temp\QnNRjhoN.ps1

A PowerShell script can indeed drop a ZIP file, typically following these steps:

• Base64 Decoding: If the ZIP file is encoded in Base64, the script will first decode it.

• File Creation: The script then creates the ZIP file in the specified location, such as the %AppData% folder.

• File Extraction: If extraction is required, the script can use built-in PowerShell commands or external utilities to unzip the file.

# Base64 encoded ZIP content
$base64Content = "base64-encoded-string-here"

# Decode the Base64 content
$decodedBytes = [System.Convert]::FromBase64String($base64Content)

# Write the decoded bytes to a ZIP file
$filePath = "$env:APPDATA\example.zip"
[System.IO.File]::WriteAllBytes($filePath, $decodedBytes)

Payload File:

"errorreporter.exe" - "C:\Program Files\Common Files\errorreporter.exe" -
""C:\Program Files\Common Files\errorreporter.exe" " - " XXXX" - "MD5= 4e041c46b85e78e232daa1093220054f ,SHA256=errorreporter" - 
"C:\Users\XXXX\AppData\Local\Temp" - "C:\Windows"

Interesting Loop:

In this instance, the RtlNewSecurityObjectWithMultipleInheritance function is being utilized to create a new security object with multiple inheritance properties, potentially within the context of Windows kernel or driver development.

Malware authors frequently exploit legitimate functions and techniques to accomplish their malicious objectives. For example, they might use this function to manipulate security objects and inherit permissions in ways that favor their malware's activities.

Indicator of Compromise (IOCs): 

Hash:
e71c55c0916be985270b5f397ed754655282d3a8593d6a54247f1b0511ae228d
5437af5e79914042729430bc9068c1d063222c075c0a440fbd601c13ffae30af
1b664f8a2b34eea7d3b89ab477583d668dd7bcde3b226306b84ae48d4ab884cc

C2:
debonairnukk[.]xyz, deafeninggeh[.]biz, diffuculttan[.]xyz, effecterectz[.]xyz,
sordid-snaked[.]cyou, immureprech[.]biz, wrathful-jammy[.]cyou, awake-weaves[.]cyou

MITRE ATT@CK MATRIX:

  Tactics				          Techniques.

Initial Access	       - Phishing Attachment (.PS1).
Execution              - Native API.
                         Command and Scripting Interpreter.
		                 Exploitation for Client Execution.
Persistence	           - Scripting.
                         Windows Service.
                         Browsing Extensions.
Privilege Escalation   - Process Injection.
			             DLL Side-Loading.
                         Bypass User Account Control 
                         Access Token Manipulation.
Defense Evasion	   	   - Obfuscated files or Information.
                         Disable or Modify Tools.
                         Masquarding.
            			 Virtualization/Sandbox Evasion.
Discovery		       - Virtualization and Sandbox Evasion Technique.
                         Security Software Discovery.
                		 Application Window Discovery.
                         File and Directory Discovery.
Credential Access      - OS Credential Dumping.
                         Credentials in Registry.
Collection             - Archive Data Collection.
                         Email Collection.
                         Clipboard Data.
Command & Control	   - Non-Application Layer Protocol.
			             Application Layer Protocol.
                         Ingress Tool Transfer

Happy Hunting !!