A resurgence in the deployment of Lumma, a sophisticated malware, is targeting Windows systems globally. This infostealer, available as Malware-as-a-Service, enables low-skilled attackers to access high-value credentials and sensitive data with minimal effort.
Distribution and Execution
Lumma is commonly distributed as disguised cracked or pirated software, utilizing platforms like MEGA for its spread. Once downloaded, the malware is installed through a Nullsoft Scriptable Install System (NSIS) installer, deploying its payload into the %Temp% directory and activating a decoy document that triggers the malicious process. An AutoIt-based loader then completes the deployment by executing the malware's encrypted core.
Techniques and Evasion
Utilizing advanced shellcode injection and process hollowing techniques, the Lumma payload embeds itself into benign processes, greatly reducing detection rates. It establishes communication with command-and-control domains, such as diadtuky[.]su, to exfiltrate collected data. This data includes browser credentials, session cookies, and cryptocurrency wallet information.
Lumma employs evasive tactics by monitoring running processes, disabling its functions when security solutions like Sophos, Norton, or Bitdefender are detected. Its modular architecture allows for frequent updates enhancing its ability to evade traditional signature-based detection methods.
Detection and Mitigation Strategies
Effective detection of Lumma requires behavior-based Endpoint Detection and Response (EDR) systems. Such systems should track command chains, file alterations, and process anomalies. Security measures should include avoiding the storage of sensitive credentials in browsers, enforcing multi-factor authentication, and monitoring for unusual process executions initiated by installer files.
- MD5 IOCs: E6252824BE8FF46E9A56993EEECE0DE6E1726693C85E59F14548658A0D82C7E8.
- Domains involved: rhussois[.]su, todoexy[.]su.
