Researchers have recently discovered malicious activity related to the Lumma Stealer Trojan across various online samples, shedding light on the sophisticated techniques employed by cybercriminals to steal sensitive data. The analysis of these samples revealed a parent-child relationship and a common communication channel with a C2 server, indicating a coordinated effort to compromise user privacy and security.
The Lumma Stealer Trojan, as observed in the provided sample, is designed to extract a wide range of information from popular browsers and applications. This includes browser credentials, cryptocurrency wallet details, and user profiles from platforms like Steam and Discord, posing a significant threat to unsuspecting users. The researchers highlighted the advanced capabilities of this malware in capturing and exfiltrating such sensitive data, emphasizing the urgent need for enhanced cybersecurity measures to combat such threats effectively.
In the collection of samples analyzed, three key files were identified: a PowerShell script named “Trigger.ps1”, a larger PowerShell script labeled “BMB1tcTf.txt”, and an executable file named “hhh.exe”. Each file was assigned a unique SHA1 hash for identification and integrity verification, further underlining the interconnected nature of these malicious components.
The initial PowerShell script, Trigger.ps1, was found to download and execute the second larger PowerShell script, BMB1tcTf.txt, under specific conditions. However, the analysis revealed that this script was ultimately malicious in nature, as it attempted to download and run another file, hhh.exe, further demonstrating the layers of obfuscation and complexity in the malware’s execution process.
The malware sample, identified as GHOSTPULSE, was observed to gather crucial system information post-execution, including operating system details, hardware specifications, loaded modules, and active processes. This data collection process is essential for the malicious actors behind Lumma Stealer to gain insights into the target system and tailor their attack accordingly, underscoring the need for proactive threat detection and mitigation strategies.
Furthermore, the malware utilized a technique known as Process Doppelgänging to inject its payload into a new process, using more.com to achieve its objectives. This method, combined with the creation of additional files with random filenames, showcases the intricate tactics employed by cybercriminals to evade detection and propagate their malicious activities.
An interesting discovery in the research was the delivery of malware disguised as an AutoIt script (AutoIt3.exe) containing a malicious payload embedded within a PNG image. This novel approach, known as the Ghostpulse technique, highlights the evolving nature of cyber threats and the need for continuous vigilance and preparedness in the face of such sophisticated attacks.
According to analysts at Tianqiong sandbox, Lumma Stealer utilizes process injection techniques, such as the Heaven’s Gate technique, to execute 32-bit APIs in a 64-bit environment, enabling the theft of crucial system information and passwords. The communication with the C2 server, utilizing a multipart/form-data protocol with a unique boundary string, further demonstrates the malware’s advanced capabilities in exfiltrating data securely and evading detection.
In conclusion, the evolving landscape of cyber threats, exemplified by the Lumma Stealer Trojan, underscores the critical importance of robust cybersecurity measures and proactive threat intelligence to protect sensitive data and safeguard user privacy. The detection and mitigation of such advanced malware require a coordinated effort among security professionals, researchers, and industry stakeholders to ensure a resilient and secure digital environment for all users.