Understanding Malware-as-a-Service (MaaS) Information Stealers
The Malware-as-a-Service (MaaS) model offers aspiring cybercriminals a cost-effective and relatively simple means to execute advanced cyber attacks and achieve their malicious objectives. Among these services are information stealers, which focus on extracting and exfiltrating sensitive data—such as login credentials and financial details—from compromised devices, potentially causing significant financial damage to both individuals and organizations.
What is the Lumma Information Stealer?
The Lumma information stealer, which has been marketed and sold on various dark web forums since 2022, exemplifies this type of MaaS. Lumma specifically targets cryptocurrency wallets, browser extensions, and two-factor authentication (2FA) mechanisms, ultimately siphoning sensitive information from infected systems. The distribution of Lumma on dark web platforms is increasing, with over a dozen command-and-control (C2) servers detected in the wild.
From January to April 2023, Darktrace monitored and analyzed several instances of Lumma activity across its client base. Leveraging its anomaly-based threat detection, Darktrace DETECT™ effectively identifies and provides insight into activities related to such info-stealers, from C2 operations to the exfiltration of sensitive data.
Background on Lumma Stealer
Previously known as LummaC2, the Lumma stealer is a subscription-based information theft tool that has been active since 2022. It is believed to have been created by the threat actor “Shamel,” using the alias “Lumma.” The stealer is marketed on dark web forums and through a Telegram channel with over a thousand subscribers as of May 2023. It is also available on Lumma’s official sales page for as low as $250.
Emergence of Lumma Stealer in the Russian Market
Research into the Russian market for stolen credentials has identified Lumma stealer as a notable emerging threat since early 2023. Lumma has joined the ranks of rising info-stealers, alongside other threats like Vidar and Racoon [1].
Like other info-stealers, Lumma can extract data from compromised systems, including system and application information, as well as sensitive data such as cookies, usernames, passwords, credit card numbers, browsing history, and cryptocurrency wallet details.
From January to April 2023, Darktrace observed Lumma malware activity across multiple customer environments, primarily in the EMEA region but also in the US. This activity involved data exfiltration to external endpoints associated with Lumma malware, likely originating from trojanized software downloads or malicious emails containing Lumma payloads.
Lumma Attack Methods and Darktrace Detection
Lumma is often distributed disguised as cracked or fake versions of popular software like VLC or ChatGPT. More recently, threat actors have also used emails with attachments or links pretending to be from well-known companies to deliver the malware. For instance, in February 2023, a South Korean streamer was targeted by a spear-phishing email that mimicked the video game company Bandai Namco [4].
Lumma primarily targets Windows operating systems (Windows 7 to 11) and at least ten different browsers, including Google Chrome, Microsoft Edge, and Mozilla Firefox [5]. It also targets cryptocurrency wallets such as Binance and Ethereum, as well as crypto wallet and 2FA browser extensions like Metamask and Authenticator [6]. Additionally, the malware can exfiltrate data from applications like AnyDesk and KeePass [7].
Infection with Lumma can lead to fraudulent use of the stolen credentials, potentially resulting in significant financial losses, such as bank account hijacking.
Once the targeted data is captured, it is exfiltrated to a C2 server. Darktrace has detected this process in multiple affected environments. Through Darktrace DETECT, instances of data exfiltration via HTTP POST requests to known Lumma C2 servers were identified. During these connections, DETECT frequently noted the URI “/c2sock” and the user agent “TeslaBrowser/5.5”.
In one case, Darktrace flagged a device using the “TeslaBrowser/5.5” user agent, which was new for the device, making an HTTP POST request to an unusual IP address, 82.117.255[.]127 (Figure 3). Darktrace’s Self-Learning AI recognized this as a deviation from expected behavior and alerted the customer’s security team.
A detailed analysis of the packet captures (PCAP) from HTTP POST requests on one device confirmed that various types of data were being exfiltrated from the customer's network. This included browser data, such as Google Chrome history files, system information stored in a System.txt file, and program data like AnyDesk configuration files.
Additionally, Darktrace identified malicious external connections on a particular device that were associated with other malware strains, such as Laplas Clipper, Raccoon Stealer, Vidar, and RedLine info-stealers, alongside the Lumma C2 connections. These info-stealers are commonly offered as Malware-as-a-Service (MaaS) and can be purchased and deployed by even relatively inexperienced threat actors. It is also likely that the developers of these info-stealers are working to integrate their malware into the activities of traffer teams [8], organized cybercrime groups specializing in credential theft.
Conclusion
Reflecting the broader trend of increasing information stealers in the cyber threat landscape, Lumma stealer remains a significant threat to both organizations and individuals.
As another example of MaaS, Lumma is easily accessible for threat actors, regardless of their expertise, which is likely to lead to a rise in incidents. Consequently, it is crucial for organizations to implement security measures that can detect unusual behavior indicative of an info-stealer compromise, rather than relying solely on static indicators of compromise (IoCs).
Darktrace DETECT’s anomaly-based detection capabilities have successfully uncovered Lumma infections across various customer environments, regions, and industries. By identifying unusual connections to C2 infrastructure and the exfiltration of data, Darktrace provided comprehensive visibility into Lumma infections, enabling affected customers to pinpoint compromised devices, mitigate further data loss, and reduce the risk of substantial financial damage