Introduction to Lumma Malware

Lumma is a powerful information stealer malware designed to extract sensitive data from infected systems. It primarily focuses on stealing passwords, credit card information, session cookies, and cryptocurrency wallet details stored in web browsers. The malware has become widely available due to its “malware-as-a-service” (MaaS) model, making it accessible to cybercriminals who subscribe to its services.

Lumma Malware: Origins and Evolution

2022: Lumma was first detected and attributed to Russian origins.

Malware-as-a-Service (MaaS): Instead of being deployed exclusively by its creators, Lumma became a purchasable tool that anyone could use by paying a fee.

Windows Targeting: It has been observed in attacks against systems running Windows 7, 8, 10, and 11, making it a significant threat for modern OS users.

Lumma as Information Stealer Malware

Lumma malware is designed to steal a variety of sensitive data, including:

  • Two-Factor Authentication (2FA) details: If stored in the browser, Lumma can extract them to bypass additional security layers.
  • Cryptocurrency wallets: Targets stored private keys and wallet information.
  • Browser cookies and extensions: By stealing cookies, attackers can hijack user sessions without needing passwords.
  • Plaintext passwords: Extracts stored credentials from browsers, such as Chrome and Edge.
  • Credit card information: If the browser saves payment details, Lumma retrieves them for financial fraud.

How Lumma Malware Works

Exfiltration to C2 Servers: The stolen data is encrypted and sent to command-and-control (C2) servers operated by hackers.

Stealth Mode: Uses advanced evasion techniques to bypass antivirus software and endpoint security measures.

Persistence: Lumma establishes long-term access to the infected system by using scheduled tasks and registry modifications.

Delivery Methods

Lumma malware spreads through multiple deceptive methods:

  1. Phishing emails: Victims receive malicious attachments or links that download the malware.
  2. Malvertising: Fake ads distribute infected software, tricking users into downloading malicious files.
  3. Fake CAPTCHA Verifications: Some attacks use fraudulent CAPTCHA prompts that execute malicious PowerShell scripts upon user interaction.

Malware Analysis with ANY.RUN

1. Initial Infection via Fake CAPTCHA

  • Users are prompted to copy & paste a script into their Windows Run dialog.
  • The script downloads & executes a hidden payload from an AWS server controlled by the attackers.
  • The main dropper is stored in the temporary directory.

2. Malware Execution & Connection to C2 Servers

  • The malware executes a series of processes that:
    • Steal browser data (cookies, stored passwords).
    • Exfiltrate data to C2 servers.
    • Modify system settings to ensure persistence.
  • The malware communicates with its Command & Control (C2) infrastructure, sending stolen credentials and receiving further instructions.

3. Windows Defender Evasion

  • PowerShell scripts disable Windows Defender by adding exclusions for:
    • User Profile Directories
    • System Drive
  • Ensures the malware operates undetected.

Case Study: GitHub-Based Infection

  • A fake GitHub repository hosted an infected Roblox script executor named Solara Executor.
  • Once downloaded and run:
    • A PowerShell script is executed to disable security protections.
    • The malware downloads an additional payload (XMRig).
    • XMRig is a crypto miner, using the victim’s CPU to mine cryptocurrency for the attacker.
    • Scheduled Tasks are created to re-run the malware every 5 minutes and 1 hour.

Detection & Analysis via ANY.RUN

ANY.RUN, a popular sandbox environment, allows security researchers to analyze Lumma’s behavior. Key findings include:

  • Process Tree Examination:
    • Identifies suspicious CMD and PowerShell executions.
    • Finds scheduled tasks ensuring malware persistence.
    • Detects connections to external servers (C2 servers).
  • File Analysis:
    • Various dropped files and executables were retrieved and analyzed.
    • Jonathan.com was identified as a Trojan & Information Stealer.
    • Malware uses batch scripts & encoding (Base64 obfuscation) to hide its real functionality.

Indicators of Compromise (IoCs)

Researchers identified several critical IoCs, including:

  • Malicious domains and IPs: Identified C2 server addresses where stolen data is sent.
  • Dropped files: Malicious executables used to deploy Lumma on victim machines.
  • Registry modifications: Lumma alters system settings to remain undetected.

Impact and Prevention

  • Users should avoid saving passwords and credit card details in their browsers.
  • Regularly update antivirus and use endpoint protection solutions.
  • Do not download software from untrusted sources or click suspicious links.

Final Notes

  • ANY.RUN is a powerful tool for analyzing such threats in real-time.
  • Users are encouraged to practice safe computing and regularly check for malware indicators on their systems.
  • The video also mentions that ANY.RUN now supports Android malware analysis, allowing users to analyze APK files for potential threats.
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles