Lumma Stealer - Using Steam Workshop as C2
Summary:
An IT-ISAC member shared some indicators related to Lumma Stealer and it’s use of Steam Workshop for C2 communications.
Lumma Stealer, a subscription-based malware active since 2022, is believed to be developed by the threat actor "Shamel" under the alias "Lumma." It is promoted on dark web forums and a Telegram channel with over a thousand subscribers, and sold for as little as $250 USD.
Lumma Stealer collects system data, sensitive information like cookies, passwords, credit card details, and cryptocurrency wallet data from compromised devices. The malware is typically delivered by users downloading trojanized software or opening malicious emails containing Lumma payloads.
Security Officer Comments:
The latest variant of Lumma has evolved to abuse the Steam platform for acquiring command-and-control (C2) domains, allowing the threat actor to change the C2 at will. Previously, C2 information was embedded in the malware. This tactic is similar to Vidar malware, which has used legitimate platforms like Steam, TikTok, Mastodon, and Telegram for the same purpose.
Lumma targets Windows operating systems from versions 7 to 11 and over 10 browsers, including Chrome, Edge, and Firefox. It also targets crypto wallets like Binance and Ethereum, browser extensions like Metamask and Authenticator, and can exfiltrate data from applications such as AnyDesk and KeePass.
Indicators of Compromise (IoCs):
Suggested Corrections:
Users should be cautious, as threat actors use various tactics to carry out attacks. Even visiting legitimate websites could indicate malware infection. To stay safe, users should avoid running files from untrusted sites and refrain from using illegal programs.
Link(s):
https://asec.ahnlab.com/en/80795/
An IT-ISAC member shared some indicators related to Lumma Stealer and it’s use of Steam Workshop for C2 communications.
Lumma Stealer, a subscription-based malware active since 2022, is believed to be developed by the threat actor "Shamel" under the alias "Lumma." It is promoted on dark web forums and a Telegram channel with over a thousand subscribers, and sold for as little as $250 USD.
Lumma Stealer collects system data, sensitive information like cookies, passwords, credit card details, and cryptocurrency wallet data from compromised devices. The malware is typically delivered by users downloading trojanized software or opening malicious emails containing Lumma payloads.
Security Officer Comments:
The latest variant of Lumma has evolved to abuse the Steam platform for acquiring command-and-control (C2) domains, allowing the threat actor to change the C2 at will. Previously, C2 information was embedded in the malware. This tactic is similar to Vidar malware, which has used legitimate platforms like Steam, TikTok, Mastodon, and Telegram for the same purpose.
Lumma targets Windows operating systems from versions 7 to 11 and over 10 browsers, including Chrome, Edge, and Firefox. It also targets crypto wallets like Binance and Ethereum, browser extensions like Metamask and Authenticator, and can exfiltrate data from applications such as AnyDesk and KeePass.
Indicators of Compromise (IoCs):
- hxxps://truthevideow[.]store/api
- hxxps://questionsmw[.]store/api
- hxxps://soldiefieop[.]site/api
- hxxps://abnomalrkmu[.]site/api
- hxxps://treatynreit[.]site/api
- hxxps://snarlypagowo[.]site/api
- hxxps://mysterisop[.]site/api
- hxxps://absorptioniw[.]site/api
- hxxps://gravvitywio[.]store/api
- Steam storage holding obfuscated C2 domain list.
- https://steamcommunity[.]com/profiles/76561199724331900
- ad958b7b933c307c1c3fd53e99aae3f5dd0c82a4615db57f6910d0a26e4b3a0f
- 04f6aa5161cf42567548eb97dcf4efc0af88035b458b801c403ca0bf71aea975
Suggested Corrections:
Users should be cautious, as threat actors use various tactics to carry out attacks. Even visiting legitimate websites could indicate malware infection. To stay safe, users should avoid running files from untrusted sites and refrain from using illegal programs.
Link(s):
https://asec.ahnlab.com/en/80795/