Cybersecurity researchers have uncovered a sophisticated cyber campaign that abuses GitHub’s trusted infrastructure to distribute the Lumma Stealer malware. This malware, which is part of a growing trend where cybercriminals leverage legitimate platforms to execute malicious activities, targets sensitive user data such as login credentials, cryptocurrency wallets, and browser information. The attackers utilized GitHub repositories to host malicious files disguised as legitimate software. These files, such as Pictore.exe and App_aelGCY3g.exe, were signed with revoked certificates to make them appear credible, thereby evading initial detection.
The download links used for these files were pre-signed with short expiration parameters, further limiting detection and adding urgency to trick users into downloading the malware.
Once executed, the Lumma Stealer malware begins a series of malicious activities. It collects a wide array of data, including sensitive credentials, browser cookies, autofill information, and local system configurations. The malware communicates with command-and-control (C2) servers via HTTP POST requests, connecting to IPs such as 192[.]142[.]10[.]246 and 192[.]178[.]54[.]36. Lumma Stealer also employs PowerShell scripts and shell commands to ensure persistence on infected systems. These commands bypass detection by allowing unrestricted script execution. Additionally, the malware drops additional tools like SectopRAT and Vidar, which further compromise the system by stealing more data or injecting malicious processes.
The attack campaign behind Lumma Stealer is modular, combining several different malware families to enhance its capabilities. Once downloaded, Lumma Stealer extracts files from archives like app-64.7z using embedded utilities such as nsis7z.dll. These extracted files, including components like chrome_100_percent.pak and snapshot_blob.bin, suggest that Electron-based applications may be used for further malicious purposes. The malware’s adaptability allows it to spread through various vectors, including compromised websites and trusted platforms like GitHub, following similar tactics to those used by the Stargazer Goblin group.
To defend against threats like Lumma Stealer, experts recommend several protective measures. Users should always validate URLs and digital certificates before downloading any files and rely on endpoint security solutions to detect unauthorized shell commands. Blocking communication with known malicious IP addresses is essential, while regular system patching and enabling multi-factor authentication (MFA) further strengthen defenses. Additionally, training employees to recognize phishing attempts and other social engineering tactics is crucial to prevent initial infections. With these proactive steps, organizations can mitigate the risks posed by malware campaigns like Lumma Stealer.
Reference:
About Lumma Stealer:
Lumma Stealer, also known as LummaC2 Stealer, is a sophisticated information-stealing malware first observed in August 2022. Developed by the threat actor known as “Shamel” or “Lumma,” this malware is distributed through a Malware-as-a-Service (MaaS) model on Russian-speaking forums, targeting a range of sensitive data. Written in C language, Lumma Stealer primarily focuses on compromising cryptocurrency wallets and two-factor authentication (2FA) browser extensions. It exfiltrates stolen information by sending it to a command-and-control (C2) server via HTTP POST requests, using the user agent “TeslaBrowser/5.5.”
The malware’s capabilities extend beyond simple data theft; it includes a non-resident loader that can deliver additional malicious payloads in the form of EXE, DLL, or PowerShell scripts. This makes Lumma Stealer a versatile tool in the arsenal of cybercriminals, combining targeted data extraction with the potential for further compromise through additional malware delivery.