At CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious entities, targeting both organizations and individuals. This report provides a comprehensive analysis of Lumma Stealer, an advanced information-stealing malware operating within a malware-as-a-service (MaaS) framework. Lumma Stealer targets sensitive data and employs sophisticated techniques to evade detection. This malware utilizes counterfeit websites posing as legitimate antivirus software for distribution and promotion. This report examines Lumma Stealer’s evasion tactics and their methods for concealing malicious activities and highlights the evolving strategies of cyber threat actors in the current threat landscape.
Lumma Stealer is a potent malware written in C, designed to surreptitiously steal a wide array of data from compromised systems. This MaaS tool has rapidly gained notoriety for its ability to target and steal critical data such as cryptocurrency wallets, web browser information, email credentials, financial data, sensitive files within user directories, personal data, FTP client data, and more by employing sophisticated techniques including event-controlled write operations and encryption to evade detection and maximize its impact.
This customizable malware is being sold on Telegram and a dedicated website as malware-as-a-service. The report explores Lumma Stealer’s operational methods, emphasizing the evolving tactics used in today’s digital environment, and its impact and guides cybersecurity professionals in developing effective defense strategies against such sophisticated threats.
Lumma Stealer, also known as LummaC2 Stealer, has been accessible via a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. The threat actor behind its development is believed to be “Shamel,” who operates under the alias “Lumma.”
Threat actor(s) actively use the Telegram channel to sell the malware specimen and updates, announcements, and support:
Threat actor(s) also have a dedicated website with detailed information on the Gitbook:
The subject sample of this analysis is being distributed as a free version of antivirus on a counterfeit website posing as a Bitdefender product:
In February, Sultan, the individual associated with the Vidar malware, shared an image depicting Lumma and Raccoon stealers in combat against antivirus solutions, suggesting collaboration among threat actors to achieve their objectives.
Threat Landscape:
The external threat landscape environment is dynamic and continually evolving, marked by the emergence of sophisticated threats like the Lumma Stealer. Threat actor(s) display significant adaptability, utilizing advanced tactics to evade detection and amplify their malicious operations.
The collaboration between Lumma Stealer and other malware strains underscores the interconnected nature of modern cyber threats. Additionally, the use of social media platforms such as Telegram, alongside dedicated websites for malware promotion, highlights the criticality of monitoring these channels for early threat detection. Organizations and individuals alike are exposed to substantial risks from multifaceted attacks that exploit a variety of malware variants. This highlights the urgent need for robust cybersecurity measures and proactive defense strategies.
File Analysis | |
File Name | setup-win-x86-x64.exe.zip |
File Size | 26.96 MB (28274486 bytes) |
Signed | Not signed |
MD5 | 4b5450d05fe036f720cc7384f400b0fb |
SHA-256 | 91e268e53754fcaaab91a3ad32ca4f67fbfc4903e75733a7174d28e1b85dd190 |
Date Modified | 23-04-2024 |
The malware specimen downloaded from the fake Bit-Defender website comes as a zip archive that contains an executable file named setup-win-x86-x64.exe and a folder named ‘_MACOSX’.
File Name | setup-win-x86-x64.exe |
File Size | 73.41 MB (76974080 bytes) |
Signed | Not signed |
MD5 | 1a3657ef519e3d20930f400dd781dbb2 |
SHA-256 | 3669c3c9c47a5e5c59f508976a2732aa1feabfa7c90d1912032e3426c30edde5 |
Date Modified | 23-04-2024 |
The executable file setup-win-x86-x64.exe is a 64-bit GUI-based Windows executable that is compiled using MinGW in ‘C’ language, and heuristics confirm the use of Golang repositories in the program.
The ‘_MACOSX’ folder is a resource fork generated when creating a compressed archive (zip file) on the macOS operating system. It contains a file ‘._setup-win-x86-x64.exe,’ which, despite its executable-like file extension, is not an executable but rather a non-malicious file containing metadata.
The executable is not packed and consists of 11 sections, with multiple sections having ‘RW’ permissions:
The manifest data of the executable shows the name as ‘StoreInstaller.App,’ indicating that the file was created or compiled on the macOS platform. It also specifies compatible Windows OS versions:
The malware also uses APIs such as IsDebuggerPresent and OutputDebugString to detect the presence of a debugger:
During the initial stage of execution, the malware creates a file with a ‘.scif’ extension in the C:\Users\Public\Libraries directory and writes to it. The filename is randomly generated and may vary between different executions.
This event-controlled write operation only reveals the file contents when the associated event object is in a signaled state. This technique serves as an anti-debugging and anti-analysis measure by maintaining the written file in a buffered state indefinitely, utilizing and removing it instead of saving the file to system storage.
The dumped ‘.scif’ file confirms that the written bytes (297.15 KB) constitute the 32-bit GUI executable code, which also includes data in the overlay section:
These bytes are mapped into the malware’s process memory and subsequently deleted to erase traces of the malicious code:
The executable code is first copied to a different memory location within the malware process before unmapping the mapped view. Initially, it copies the overlay section data from the executable code, followed by the rest of the code:
After copying the executable code to a different memory location within the malware process, the mapped view is unmapped, freeing the memory previously used for mapping the executable. Subsequently, the ‘.scif’ file is deleted from the ‘C:\Users\Public\Libraries’ directory:
In a similar manner, it creates another ‘.scif’ file in the same directory (C:\Users\Public\Libraries), copies the executable code into it, maps the ‘.scif’ file into memory and copies the mapped code to a different location, and then deletes the ‘.scif’ file. This operation is also an event-controlled write operation, like the earlier one:
At this point, the malware copies the legitimate Windows executable BitLockerToGo.exe, which exists in the ‘C:\Windows\BitLockerDiscoveryVolumeContents’ directory, to the ‘.scif’ file:
In the second stage, the malware creates a suspended process of BitLockerToGo.exe:
The malware creates a suspended process of BitLockerToGo.exe and allocates memory within its address space using the VirtualAllocEx API call, specifying the ‘MEM_RESERVE | MEM_COMMIT’ option to reserve virtual memory addresses and commit physical memory for these addresses.
Then, it performs process injection by writing the allocated memory with the malicious code. This involves two instances of the WriteProcessMemory API call: the first instance writes the malicious code, and the second instance writes data into the overlay section:
After the injection, the dumped executable shows no libraries or imports due to the error “IAT was not inside the PE image”, indicating that rebasing is required to retrieve import details. Additionally, the entry point remains the same as that of the legitimate BitLockerToGo.exe file.
After code injection, the malware resumes the suspended process (next stage malware) and terminates itself (setup-win-x86-x64.exe). The suspended process is resumed using the ResumeThread API call, which executes the thread within the BitLockerToGo.exe process:
The start address of the thread is RtlUserThreadStart, which does not require explicit definition or adjustment of the thread context before resuming execution. It sets up the initial context and prepares the thread to begin executing user-defined code, and the Windows kernel ensures that the thread’s initial context including registers and stack setup is properly initialized for execution.
After RtlUserThreadStart initializes the injected process and starts loading required Windows DLLs, it sends a DNS query to resolve the IP address of the domain(s) hardcoded in the injected process and begins communicating with the first domain that resolves successfully:
The communications are encrypted using TLS v1.2:
There are seven hardcoded domains that act as command-and-control (C2) servers, which the malware uses for sending updates, receiving instructions, and exfiltrating data:
In the final stage, the malware initially sends a pair of messages and receives an obfuscated response from the command-and-control (C2) server:
After receiving the response from the command-and-control (C2) server, the malware begins collecting and exfiltrating data from the victim’s PC. This includes data from web browsers such as cookies, history, extensions, login data, session data, and cache. Additionally, it targets cryptocurrency wallets, sensitive files within user directories, Telegram data, email clients, FTP client data, and remote desktop clients.
The exfiltrated data is encrypted, and custom obfuscation techniques are employed to conceal the stolen data over the network, as observed in intercepted communications:
Below are the captured logs of the malware’s data-stealing activities, targeting cryptocurrency wallets, web browsers, email clients, FTP clients, and more:
This stealer malware also scans the compromised system for files containing keywords such as seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf, indicating malware’s capability of specifically targeting files that potentially contain sensitive information. By scanning for these keywords across both text and PDF file formats, the malware aims to gather information that could include private keys, wallet addresses, login credentials, and other financial or personal data stored on the compromised system.
Analyzing the Lumma stealer provides valuable insights into its operational characteristics. Based on this examination and the extracted data, the following points outline the capabilities of this information-stealing malware:
In conclusion, Lumma Stealer’s operations encompass comprehensive data theft activities, targeting sensitive information such as cryptocurrency wallets, web browser data, email clients, and other critical files and data. The malware employs advanced techniques including event-controlled write operations, encryption of exfiltrated data, and custom obfuscation to evade detection and analysis, furthermore, its integration with other malware highlights a trend towards coordinated, multifaceted cyber threats aimed at maximizing disruption and financial gains.
As these threats continue to evolve, it is imperative for organizations to adopt robust cybersecurity measures and proactive defense strategies to mitigate the risks posed by threats like Lumma Stealer. To reduce the risks associated with Lumma Stealer, users should exercise caution when opening files from untrustworthy sources or clicking on unfamiliar links, particularly those offering questionable software or content. Furthermore, deploying robust cybersecurity measures, including utilizing reputable antivirus software, ensuring software is regularly updated, and staying vigilant against social engineering tactics, can significantly bolster protection against such threats.
S/N | Indicators | Type | Context |
1 | 4b5450d05fe036f720cc7384f400b0fb | File | setup-win-x86-x64.exe.zip |
2 | 91e268e53754fcaaab91a3ad32ca4f67fbfc4903e75733a7174d28e1b85dd190 | File | setup-win-x86-x64.exe.zip |
3 | 1a3657ef519e3d20930f400dd781dbb2 | File | setup-win-x86-x64.exe |
4 | 3669c3c9c47a5e5c59f508976a2732aa1feabfa7c90d1912032e3426c30edde5 | File | setup-win-x86-x64.exe |
5 | alcojoldwograpciw[.]shop | Domain | C2 |
6 | productivelookewr[.]shop | Domain | C2 |
7 | tolerateilusidjukl[.]shop | Domain | C2 |
8 | shatterbreathepsw[.]shop | Domain | C2 |
9 | shortsvelventysjo[.]shop | Domain | C2 |
10 | liabilitynighstjsko[.]shop | Domain | C2 |
11 | demonstationfukewko[.]shop | Domain | C2 |
12 | 172[.]67[.]157[.]23 | IP address | C2 |
13 | 104[.]21[.]48[.]243 | IP address | C2 |
14 | https[:]//alcojoldwograpciw[.]shop/api | URL | C2 |
No. | Tactic | Technique |
1 | Reconnaissance (TA0043) | T1592: Gather Victim Host Information |
2 | Execution (TA0002) | T1204.002: Malicious File |
3 | Privilege Escalation (TA0004) | T1055: Process Injection |
4 | Defense Evasion (TA0005) | T1622: Debugger Evasion |
T1497: Virtualization/Sandbox Evasion | ||
T1140: Deobfuscate/Decode Files or Information | ||
T1564.001: Hidden Files and Directories | ||
5 | Discovery (TA0007) | T1622: Debugger Evasion |
T1497: Virtualization/Sandbox Evasion | ||
T1083: File and Directory Discovery | ||
6 | Command and Control (TA0011) | T1071.001: Web Protocols |
7 | Exfiltration (TA0010) | T1041: Exfiltration Over C2 Channel |
rule detect_malicious_files {
strings:
$domain1 = “alcojoldwograpciw.shop”
$domain2 = “productivelookewr.shop”
$domain3 = “tolerateilusidjukl.shop”
$domain4 = “shatterbreathepsw.shop”
$domain5 = “shortsvelventysjo.shop”
$domain6 = “liabilitynighstjsko.shop”
$domain7 = “demonstationfukewko.shop”
$file1 = “setup-win-x86-x64.exe.zip”
$file2 = “setup-win-x86-x64.exe”
condition:
any of ($domain*) or (filename == $file1 and (hash.md5 == “4b5450d05fe036f720cc7384f400b0fb” or hash.md5 == “91e268e53754fcaaab91a3ad32ca4f67fbfc4903e75733a7174d28e1b85dd190”)) or (filename == $file2 and (hash.md5 == “1a3657ef519e3d20930f400dd781dbb2” or hash.md5 == “3669c3c9c47a5e5c59f508976a2732aa1feabfa7c90d1912032e3426c30edde5”))
}