Jump to content

Sign Up!

To avoid falling victim to scammers when making deals with sellers on the DWM (DarkWebMarket) platform, use the official Escrow Service.

telegram @Dwmguarantor

Telegram communication!

You can also contact the guarantor in Telegram

The Surge of Lumma: The Info-Stealer Revolutionizing Malware-as-a-Service


ESCROW SERVICE

115 views

Understanding Malware-as-a-Service (MaaS) Information Stealers

The Malware-as-a-Service (MaaS) model offers aspiring cybercriminals a cost-effective and relatively simple means to execute advanced cyber attacks and achieve their malicious objectives. Among these services are information stealers, which focus on extracting and exfiltrating sensitive data—such as login credentials and financial details—from compromised devices, potentially causing significant financial damage to both individuals and organizations.

What is the Lumma Information Stealer?

The Lumma information stealer, which has been marketed and sold on various dark web forums since 2022, exemplifies this type of MaaS. Lumma specifically targets cryptocurrency wallets, browser extensions, and two-factor authentication (2FA) mechanisms, ultimately siphoning sensitive information from infected systems. The distribution of Lumma on dark web platforms is increasing, with over a dozen command-and-control (C2) servers detected in the wild.

From January to April 2023, Darktrace monitored and analyzed several instances of Lumma activity across its client base. Leveraging its anomaly-based threat detection, Darktrace DETECT™ effectively identifies and provides insight into activities related to such info-stealers, from C2 operations to the exfiltration of sensitive data.

Background on Lumma Stealer

Previously known as LummaC2, the Lumma stealer is a subscription-based information theft tool that has been active since 2022. It is believed to have been created by the threat actor “Shamel,” using the alias “Lumma.” The stealer is marketed on dark web forums and through a Telegram channel with over a thousand subscribers as of May 2023. It is also available on Lumma’s official sales page for as low as $250.

64f7a5a5862a1883b04d07c0_Picture1.png

Emergence of Lumma Stealer in the Russian Market

Research into the Russian market for stolen credentials has identified Lumma stealer as a notable emerging threat since early 2023. Lumma has joined the ranks of rising info-stealers, alongside other threats like Vidar and Racoon [1].

Like other info-stealers, Lumma can extract data from compromised systems, including system and application information, as well as sensitive data such as cookies, usernames, passwords, credit card numbers, browsing history, and cryptocurrency wallet details.

From January to April 2023, Darktrace observed Lumma malware activity across multiple customer environments, primarily in the EMEA region but also in the US. This activity involved data exfiltration to external endpoints associated with Lumma malware, likely originating from trojanized software downloads or malicious emails containing Lumma payloads.

Lumma Attack Methods and Darktrace Detection

Lumma is often distributed disguised as cracked or fake versions of popular software like VLC or ChatGPT. More recently, threat actors have also used emails with attachments or links pretending to be from well-known companies to deliver the malware. For instance, in February 2023, a South Korean streamer was targeted by a spear-phishing email that mimicked the video game company Bandai Namco [4].

Lumma primarily targets Windows operating systems (Windows 7 to 11) and at least ten different browsers, including Google Chrome, Microsoft Edge, and Mozilla Firefox [5]. It also targets cryptocurrency wallets such as Binance and Ethereum, as well as crypto wallet and 2FA browser extensions like Metamask and Authenticator [6]. Additionally, the malware can exfiltrate data from applications like AnyDesk and KeePass [7].

Infection with Lumma can lead to fraudulent use of the stolen credentials, potentially resulting in significant financial losses, such as bank account hijacking.

Once the targeted data is captured, it is exfiltrated to a C2 server. Darktrace has detected this process in multiple affected environments. Through Darktrace DETECT, instances of data exfiltration via HTTP POST requests to known Lumma C2 servers were identified. During these connections, DETECT frequently noted the URI “/c2sock” and the user agent “TeslaBrowser/5.5”.

In one case, Darktrace flagged a device using the “TeslaBrowser/5.5” user agent, which was new for the device, making an HTTP POST request to an unusual IP address, 82.117.255[.]127 (Figure 3). Darktrace’s Self-Learning AI recognized this as a deviation from expected behavior and alerted the customer’s security team.

64f7a60fc9011742a0b28b4b_Screenshot%2020

 

A detailed analysis of the packet captures (PCAP) from HTTP POST requests on one device confirmed that various types of data were being exfiltrated from the customer's network. This included browser data, such as Google Chrome history files, system information stored in a System.txt file, and program data like AnyDesk configuration files.

 

64f7a65b5fc18616b63c0e81_Screenshot%2020

64f7a685a1c9f44c7cdd4175_Screenshot%2020

Additionally, Darktrace identified malicious external connections on a particular device that were associated with other malware strains, such as Laplas Clipper, Raccoon Stealer, Vidar, and RedLine info-stealers, alongside the Lumma C2 connections. These info-stealers are commonly offered as Malware-as-a-Service (MaaS) and can be purchased and deployed by even relatively inexperienced threat actors. It is also likely that the developers of these info-stealers are working to integrate their malware into the activities of traffer teams [8], organized cybercrime groups specializing in credential theft.

Conclusion

Reflecting the broader trend of increasing information stealers in the cyber threat landscape, Lumma stealer remains a significant threat to both organizations and individuals.

As another example of MaaS, Lumma is easily accessible for threat actors, regardless of their expertise, which is likely to lead to a rise in incidents. Consequently, it is crucial for organizations to implement security measures that can detect unusual behavior indicative of an info-stealer compromise, rather than relying solely on static indicators of compromise (IoCs).

Darktrace DETECT’s anomaly-based detection capabilities have successfully uncovered Lumma infections across various customer environments, regions, and industries. By identifying unusual connections to C2 infrastructure and the exfiltration of data, Darktrace provided comprehensive visibility into Lumma infections, enabling affected customers to pinpoint compromised devices, mitigate further data loss, and reduce the risk of substantial financial damage

2 Comments


Recommended Comments

FreeCurrencyRates.com

icon

TOR LINK

DWM

The user regularly conducts transactions through the service guarantor and has positive trading statistics on the site. Most likely he can be trusted and work directly. With the rules of work through the guarantor you can familiarize yourself here. CLICK
The user has not conducted a single transaction through the guarantor. You can read about the rules of working through a guarantor here. CLICK
The user has made a security deposit on the forum. He is a verified seller and guaranteed to conduct all transactions through the guarantee service. You can read more about the deposit system here. CLICK
The user has no security deposit on the forum, when working with him do not send prepayments and always involve the guarantor in transactions. You can read more about the deposit system here. CLICK
The user's status is "UNVERIFIED" indicating that he has not verified his account on the Darknet. You can pass verification by providing positive reviews and recommendations about yourself. You can read more about how to check patency. CLICK.
The user status "VERIFIED" indicates that the seller has been verified by the Forum Administration. You can read more about how to pass the verification here. CLICK.

×
  • Create New...