Lumma Stealer: Analyzing Deceptive Tactics

Lumma Stealer is an infostealer malware that emerged in early 2023, though some sources say that its first samples were detected in the wild in late 2022. For functionality, it is classic information and crypto stealer that targets a selection of data sources across the infected system. Written in C++, it incorporates heavy obfuscation and anti-analysis features, which, makes this malware so potent and successful.

Its way towards the top of the charts was rapid. A couple of months after the launch, Darknet forums were offering Lumma’s logs for sale at the same volume as the renowned leaders of the time – Vidar and Raccoon. Such rapid success is generally caused by the tricks this malware uses to avoid detection, as well as the flexible spreading approaches chosen by its masters.

Let’s break down the Lumma Stealer and see what is so unique about it. We will start top to bottom, starting with promotion methods and going all the way down to data exfiltration.

Received Samples

Promotions on Telegram and Darknet

Main ways to market their malware for developers are posts on Darknet forums and in several Telegram groups. There, frauds offer a wide range of pricing with different privileges for each tier. They also provide an extensive description of the stock malware capabilities and its modding potential. Among other things, developers make a special emphasis on the absence of any dependencies and a complete abundance of high-level WinAPI calls. Such a trick greatly improves both execution stability and detection evasion.

Similarly to all the “major” infostealers, it offers their hosting for establishing the C2, praising their stability and anti-DDoS protection. Devs also boast of anti-detection tricks like HeavensGate exploitation, binary morpher, and non-resident loader.

Lumma Stealer Spreading Methods

For spreading, it opts for common yet unusual approaches. Such a paradox is explained by arranging the spreading campaigns in a way, so it will be much less suspicious to the victim. Some of them include exploiting popular social media platforms to attract as many folks as possible.

Method 1. Pirated a.k.a Cracked Software

One of the oldest malware spreading approaches, cracked software provides the vast majority of victims to Lumma Stealer. By embedding a downloading script into the installer, frauds provide themselves with an excellent disguise. Not only does such software usually require the user to disable antivirus tools, it also gets an alibi to any notifications from antivirus afterward.

Typically, for malware that opts for a more sophisticated spreading approach, the topics for spreading are picked among the ones that have the biggest traffic. With the use of SEO poisoning and spam in social media, frauds attract a lot of people to their website, which offers to download the desired software for free. Such a tactic is not new and was previously used by STOP/Djvu ransomware back in 2021.

Hacked YouTube Channels Promoting Software Cracks

One particular case of Lumma Stealer spreading via pirated software happened in January 2024, when a hacked YouTube account started promoting a link to cracked software downloading. Upon downloading and running file from the link, users were infected through the staged loader, which provided additional disguise to the entire operation.

Method 2. Discord Spam Messages

One of the earliest spreading tactics for Lumma Stealer was messages sent through Discord. Despite being a rather straightforward tactic, it is surprisingly effective. There were variations to this approach – with gaining trust on a particular Discord server or with a direct spam to anyone who does not have their DMs locked.

The links spread in such a way were directed to the downloading of a payload, but were offered as a tool the sender wanted to test. In some sophisticated attacks, frauds were sending malicious files in response to a request for some specific software utility.

Method 3. Email Spam

Alpha and omega of malware spreading throughout the last decade. There are dozens of ways to hide malware within the email message, both as a link and inside the attached file. However, it went further here, too, targeting specific people online with spear phishing campaigns. Mass-spreading campaigns through email messages are not typical though, for no obvious reason.

Lumma Stealer Threat Analysis

In the vast majority of campaigns, Lumma is delivered by a staged loader – the malicious script that does some basic checks and pulls the payload from the command server. Nonetheless, this does not weaken Lumma’s evasion methods by any means. The interesting thing about these loaders is the use of GitHub profile as the intermediary C2 server. The main function behind these loaders is ensuring that the system is not a virtual machine or debug environment, doing some basic system review, and retrieving the payload from a different command server. The latter differs depending on the system configuration and location.

Step1. Startup, Detection & Analysis Evasion

The aforementioned staged loader in the form of a script finishes its activity by downloading the DLL file – an actual payload. In the Resources section of this library, 3 PNG files are the encrypted malware code. Upon decryption and launch, it begins its round of system checks, to ensure that it is not running on the VM or the debugger.

For that purpose, the malware calls for Windows function GetForegroundWindow and checks whether it contains any of the strings from below. These are the strings typical for debug environments.

The next step is sandboxing evasion. Malware enumerates the DLLs in use, seeking for ones typically used by 360 Total Security, Sandboxie, Cuckoo Sandbox and Comodo Antivirus. It also pulls the trick to avoid analysis through the Wine environment, by seeking for the wine_get_unix_file_name API being used by kernel32.dll or ntdll.dll.

Another anti-sandbox round is to seek for matches in usernames. As most common sandbox environments have default or generic names, it is not that complicated to weed out the simplest honeypots. Malware compares usernames in the system with the following list:

Things do not stop here, as it proceeds with reviewing system properties searching for any signs of virtualization being used. It checks the .sys files in the system32 folder, seeking for ones that are typical for virtual machines; malware scans the devices to find generic vendor names used as blanking plugs in VMs. At the end, malware scans the services to once again see whether there is any evidence of virtual machines.

Match on any of the aforementioned stages makes malware stop further execution. But when it passes clear, Lumma Stealer decrypts the rest of the DLL and the process injection happens, launching the payload.

Step 2. Data Stealing

After such a long detection and analysis evasion cycle, it eventually switches to its main function – information stealing. But beforehand, it reports about the new instance to the command server. This is done using an HTTP POST message; each sample carries the list of encrypted C2 addresses (1 main + 10 backup) that malware starts resolving after being launched. The first one to be responsive is then used for all further communications, including data exfiltration.

Once the initial connection has been established, this stealer starts scanning the user data in the system, seeking the files related to crypto wallets, user browser profiles, and browser extensions of crypto wallets. As developers say in the promo post, it is possible to add the needed crypto wallet extension to the seek list in a couple of clicks. Under one of the tariffs, hackers offer to steal persistent cookies – a vulnerable type of ones that provide access to the compromised account even after the password change. When data collection is over, the Lumma Stealer encrypts the resulting package and sends it to the C2 server.

The Lumma C2 panel is also worth attention. All the methods to avoid detection are accompanied by AI-assisted filtering, which weeds out the exfiltrated data from “bots”, i.e. test machines used by analysts. At least, this capability was promoted in one of the publications on the Darknet forum.

Read Also

• Fake CAPTCHA Sites Trick Users to Run Lumma Stealer
• Lumma Stealer Spreads Via Fake Browser Updates
• Top 5 Stealers in 2024

How to Protect Yourself?

As you could have seen from the analysis, it is an exceptionally cautious malware. Before running, it does its best to avoid leaving any trails in the system. However, it is not invulnerable, as advanced anti-malware software is still able to catch it rather fast. Still, the best option is to avoid the infection at all.

Avoid cracked software. The vast majority of Lumma Stealer cases are after the malware is injected into pirated software. For the selection of properties, such apps fit exceptionally well as a shell for malware spreading.

Be careful with sketchy programs you find online. The continuation of the previous paragraph, low-trust or unknown applications may be used to inject malware. Same as pirated apps, they often require you to disable anti-malware software, and you often simply do not know how the program should work. The latter makes it even more convenient for malware distribution.

Do not interact with suspicious email messages. Even though Lumma is rarely spread in email attachments, this is universal advice for keeping your system safe. Despite all attempts to jam this approach, it is still the most popular one and may be used under different circumstances and in different attack scenarios.

Use Gridinsoft Anti-Malware. The best way to be sure about your system’s safety is to have dedicated software for that case. When combined with precautions from the above, anti-malware programs will act as a gatekeeper, detecting and removing the stuff that managed to get in. Our GridinSoft Anti-Malware is a program you can rely on for this purpose.

Lumma Stealer Indicators of Compromise (IoC)

Operation	MITRE ATT&CK Techniques
Information collection	T1217: Browser Information Discovery T1083: File and Directory Discovery
Executed the encrypted payload using powershell.exe	T1059.001: Command and Scripting Interpreter: PowerShell T1027.013: Obfuscated Files or Information: Encrypted/Encoded File
PowerShell downloaded Lumma Stealer and executed	T1059.001: Command and Scripting Interpreter: PowerShell
Executed the initial PS code	T1204: User Execution T1059.001: Command and Scripting Interpreter: PowerShell
Download the payload using mshta, which had overlayed script	T1218.005: System Binary Proxy Execution: Mshta T1027.009: Obfuscated Files or Information: Embedded Payloads
Lumma Injected malicious payload in BitLockerToGo	T1055.012: Process Injection: Process Hollowing
Injected process executed killing.bat script	T1059.003: Command and Scripting Interpreter: Windows Command Shell
Batch script discover the process and start autoit	T1057: Process Discovery
Autoit executes the script	T1059.010: Command and Scripting Interpreter: AutoIT
Fake captcha verification	T1566: Phishing
Exfiltration	T1041: Exfiltration Over C2 Channel

IP Addresses

176.113.115.224
176.113.115.226
176.113.115.227
176.113.115.229
176.113.115.232
144.76.173.247
45.9.74.78
77.73.134.68
82.117.255.127
82.117.255.80
82.118.23.50

URLs

futureddospzmvq[.]shop

writerospzm[.]shop

mennyudosirso[.]shop

deallerospfosu[.]shop

quialitsuzoxm[.]shop

complaintsipzzx[.]shop

bassizcellskz[.]shop

languagedscie[.]shop

celebratioopz[.]shop