LET'S TALK
LET'S TALK
LET'S TALK
LET'S TALK

Threat Hunter’s Corner: Tracking Lumma Stealer

by Josh Shepard on 2024 | 11

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >Threat Hunter’s Corner: Tracking Lumma Stealer</span>

Welcome 

Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radical, and in this episode, we’ll be going over a recently reported Lumma Stealer campaign and some behaviors you can hunt for on your environment to catch it in the act. 

 

RadBot Generated Text Summary 

This week, we’re diving into a recent campaign reported by Trend Micro involving the Lumma Stealer malware. Let’s break down what makes this stealer class malware so intriguing and how it operates. 

What is Lumma Stealer? 

Lumma Stealer is a type of malware designed to steal information, specifically targeting credentials. It focuses on files that store clear text, crypto-related authentication information, and browser-based data such as cookies and passwords. 

The Campaign’s Kill Chain 

Here’s a step-by-step look at how the attack unfolds: 

  1. Initial Access: The victim clicks a link, which could come from a phishing email or an ad. This link opens a fake CAPTCHA page. 
  1. CAPTCHA Deception: The fake CAPTCHA page asks the victim to prove they are human. When the box is checked, a PowerShell command is copied to the victim’s clipboard. 
  1. Execution: The victim is instructed to run a series of hotkeys to open a run terminal, paste the command, and execute it. 
  1. Payload Delivery: The PowerShell script then spawns MSHTA, which downloads and executes additional scripts to pull down the Lumma Stealer malware. 
  1. Defense Evasion: The malware uses process hollowing, specifically targeting the BitLocker to Go binary, to evade detection. 
  1. Credential Theft: Finally, the malware searches for and exfiltrates credential-related files from the victim’s system. 

Key Indicators for Threat Hunting 

To effectively hunt for this threat, here are some key indicators and techniques to look for: 

  • PowerShell Spawning MSHTA: This is unusual in most environments and should be monitored closely. 
  • Process Hollowing: Look for Windows API calls related to process memory manipulation, such as VirtualAllocEx and WriteProcessMemory or process modification like CreateRemoteThread, SuspendThread, or ResumeThread.  
  • Unusual Credential File Access: Monitor for unusual processes accessing browser credential files like cookies.sqlite for Mozilla or Web Data/Web Login for Chromium. 

Conclusion 

This campaign highlights the evolving tactics of threat actors and the importance of staying vigilant. By understanding the kill chain and knowing what to look for, we can better protect our systems from such threats. 

As always, if you have any questions or comments, feel free to reach out. Stay safe out there, and we’ll see you in the next episode of the Threat Hunters Corner.

 
Previous story
← EP 39 — Red Cat Holdings’ Brendan Stewart on Strategic Partnerships for Advancing Drone Capabilities
Next story
EP 40 — Rendered.ai’s Nathan Kundtz on the Power of Synthetic Data in AI Development →
Threat Hunters Corner: VIP Keylogger
Threat Management

Threat Hunters Corner: VIP Keylogger

2025 | 01 2 min read
Threat Hunter’s Corner: More_Eggs malware
Threat Management

Threat Hunter’s Corner: More_Eggs malware

2024 | 12 2 min read
Threat Hunters Corner: Understanding T1543 - Create or Modify System Processes
Threat Management

Threat Hunters Corner: Understanding T1543 - Create or Modify System Processes

2024 | 10 3 min read

Get Email Notifications

No Comments Yet

Let us know what you think