Lumma Malware: Unmasking the Stealthy Infostealer

What is Lumma Malware?

Lumma malware (Lumma infostealer), is an info-stealer malware that has been active since at least August 2022. The threat actor behind the info stealer is believed to go by “Shamel” or their other alias, which gives the malware its name: “Lumma.”

Lumma is offered as a malware-as-a-service with pricing tiers ranging from $250 to $20,000.

Once purchased, Lumma infostealer provides affiliates with a ready-made tool for targeting sensitive information on victims’ devices without the need for significant technical capabilities.

Lumma also offers various methods for evading detection.

These methods increase in sophistication depending on the pricing tier. At the most expensive tiers, affiliates also gain access to the Lumma malware source code – so they can resell it.

Lumma malware users most commonly perform credential theft (usernames, passwords, etc.) through

• Browser data exfiltration
• Targeting two-factor authentication extensions.

Once a system is compromised, they carry out cryptocurrency wallet theft or access other sensitive financial information, such as credit card numbers. But, the tool can exfiltrate a range of data from compromised machines as well as deliver additional malware.

Logs containing stolen credentials and other sensitive info gathered are available on dedicated dark web marketplaces. This made Lumma a global hub for cybercrime, including fraud and identity theft.

Since its inception, Lumma has gained a reputation as a sophisticated infostealer that is also easy to use. This led to its popularity, with reports that it became the most used infostealer on the market for malware-as-a-service affiliates seeking to launch their own attacks.

Beyond its use by cybercriminals, prominent hacking groups have utilized the info stealer, including:

• Scattered Spider
• Angry Likho
• CoralRaider

How Lumma Malware Works

Written in C++ and assembly language, the Lumma malware aims to gain unauthorized access to browsers. These could be Chromium, Mozilla, or Gecko-based browsers. Additionally, it can install new malware or plugins, including clipboard-stealing plugins or cryptocurrency miners.

This allows Lumma malware to exfiltrate a range of user data with specialized collection methods that have evolved since the infostealer was first observed.

Once Lumma infiltrates the victim’s device, common data targets include:

• Browser data exfiltration, such as session cookies, autofill data, and saved login credentials.
• Cryptocurrency wallet theft through browser extensions and local keys for popular platforms.
• A range of applications, such as email clients, FTP (File Transfer Protocol) clients, or VPNs (Virtual Private Networks).
• The user’s documents found on the device.

Instructions for targeting each data type are specified by the configuration file retrieved from the malware’s command and control (C2) servers. The developer behind Lumma infostealer maintains robust C2 infrastructure with regular updates, proxies to hide the real servers, and other types of obfuscation.

Data exfiltrated by Lumma malware is sent to a C2 server through HTTP POST requests. Software delivered to the victim’s system is typically done so with a non-resident loader via EXE, DLL, and PowerShell malware delivery.

Malware-as-a-service affiliates paying for Lumma infostealer receive access to a panel where they can build the malware binary, communicate with the C2 servers, and manage stolen information.

Lumma Distribution Methods and Infection Vectors

While other infostealers compromise systems by targeting security vulnerabilities or sending bulk spam to victims, Lumma malware operators employ multi-vector delivery methods and various infection vectors.

A wide range of flexible and adaptable delivery methods is utilized to improve success rates, including:

• Phishing that relies on enhanced impersonation tactics and messaging to create a sense of urgency in the reader. These messages then send users to cloned websites or malicious servers to deliver the Lumma malware.
• Fake advertisements, or Malvertising, on search engine result pages that provide poisoned links mimicking legitimate companies.
• Compromising websites typically via vulnerabilities or misconfigurations and modifying content to run malicious JavaScript and deliver Lumma payloads to unsuspecting visitors.
• Cracked versions of applications spread via file-sharing platforms that include Lumma binaries, which are executed post-installation.
• Disguising Lumma binaries in legitimate services such as GitHub. Sophisticated delivery methods seen in recent Lumma campaigns include fake CAPTCHA attacks and the ClickFix technique.

Best Practices to Detect and Mitigate Lumma Malware

Unfortunately, the C2 infrastructure behind Lumma is constantly shifting such that specific domains and IP addresses can only be used for retroactive analysis. But, Microsoft has compiled a list of detection information for Windows users to investigate and identify Lumma malware across endpoints and applications.

Recommended best practices published by the Multi-State Information Sharing and Analysis Center (MS-ISAC), a division of the Center for Internet Security (CIS), to protect against infostealers, include:

• Comprehensive endpoint protection and blocking unauthorized activities to prevent malicious files from being executed.
• Proactive filtering of DNS traffic and preventing connections to known harmful web domains.
• Intrusion detection systems that rely on traditional and advanced techniques to identify new threats.
• In-depth patch management processes to ensure applications remain up-to-date.
• Only allowing trusted PowerShell scripts to run in order to prevent malware delivery.
• Employee training programs that include detailed information on phishing and other social engineering attack vectors.
• Limiting access through the principle of least privilege to minimize the impact of compromised systems.