Lumma Stealer Proliferation Fueled by Telegram Activity
Summary:
Lumma Stealer is a sophisticated and fast-spreading information-stealing malware, primarily distributed through Telegram channels disguised as cracked software. Cybercriminals have exploited Telegram’s widespread popularity to reach a large audience, bypass traditional detection methods, and distribute malicious payloads effectively. Channels such as hitbase and sharmamod actively promote malicious content, often forwarding messages between each other to expand their reach. One notable file distributed via these channels is CCleaner 2024[.]rar, which contains multiple components designed to compromise user systems and exfiltrate sensitive information.
Upon unpacking, CCleaner 2024.rar reveals several files, including a .NET executable , a readme.txt file linking back to the Telegram channel, and Microsoft DLL files. Analysis using DnSpy reveals that the main executable uses decryption functions to load additional malicious payloads into memory. Two decrypted payloads are subsequently dropped into the system’s AppData\Roaming folder: XTb9DOBjB3[.]exe (the Lumma Stealer malware) and a clipper malware. Both payloads exhibit advanced techniques, including multi-stage decryption routines and process injection, targeting legitimate Windows processes to evade detection. The Lumma Stealer payload focuses on harvesting a wide range of sensitive data. It dynamically loads libraries to enable HTTP requests to command-and-control servers. Base64-encoded strings embedded within the binary are decoded and decrypted to reveal C2 domains. The malware exfiltrates browser credentials, FTP and email account data, cryptocurrency wallet information, and system details. Communication with C2 infrastructure is achieved through encoded POST requests to various domains, which facilitate data exfiltration and additional payload delivery.
Security Officer Comments:
The clipper malware operates alongside Lumma Stealer, actively monitoring clipboard activity. It uses regular expressions to detect cryptocurrency wallet addresses, replacing them with attacker-controlled addresses to hijack transactions. This malware also establishes persistence by checking for mutex locks and configuring autorun on system startup. By modifying file attributes, it further evades detection and ensures continued execution on compromised systems. Lumma Stealer’s use of Telegram as a distribution platform is a testament to the adaptability of cybercriminals in leveraging popular tools for malicious purposes. The malware’s ability to conduct sophisticated operations, such as multi-stage decryption, process injection, and targeted data exfiltration, underscores its threat to user privacy and security. It has been particularly prevalent in regions such as India, the United States, and Europe, according to McAfee’s telemetry data.
Suggested Corrections:
Endpoint Security Measures:
https://www.mcafee.com/blogs/other-...m-channels-are-fueling-malware-proliferation/
Lumma Stealer is a sophisticated and fast-spreading information-stealing malware, primarily distributed through Telegram channels disguised as cracked software. Cybercriminals have exploited Telegram’s widespread popularity to reach a large audience, bypass traditional detection methods, and distribute malicious payloads effectively. Channels such as hitbase and sharmamod actively promote malicious content, often forwarding messages between each other to expand their reach. One notable file distributed via these channels is CCleaner 2024[.]rar, which contains multiple components designed to compromise user systems and exfiltrate sensitive information.
Upon unpacking, CCleaner 2024.rar reveals several files, including a .NET executable , a readme.txt file linking back to the Telegram channel, and Microsoft DLL files. Analysis using DnSpy reveals that the main executable uses decryption functions to load additional malicious payloads into memory. Two decrypted payloads are subsequently dropped into the system’s AppData\Roaming folder: XTb9DOBjB3[.]exe (the Lumma Stealer malware) and a clipper malware. Both payloads exhibit advanced techniques, including multi-stage decryption routines and process injection, targeting legitimate Windows processes to evade detection. The Lumma Stealer payload focuses on harvesting a wide range of sensitive data. It dynamically loads libraries to enable HTTP requests to command-and-control servers. Base64-encoded strings embedded within the binary are decoded and decrypted to reveal C2 domains. The malware exfiltrates browser credentials, FTP and email account data, cryptocurrency wallet information, and system details. Communication with C2 infrastructure is achieved through encoded POST requests to various domains, which facilitate data exfiltration and additional payload delivery.
Security Officer Comments:
The clipper malware operates alongside Lumma Stealer, actively monitoring clipboard activity. It uses regular expressions to detect cryptocurrency wallet addresses, replacing them with attacker-controlled addresses to hijack transactions. This malware also establishes persistence by checking for mutex locks and configuring autorun on system startup. By modifying file attributes, it further evades detection and ensures continued execution on compromised systems. Lumma Stealer’s use of Telegram as a distribution platform is a testament to the adaptability of cybercriminals in leveraging popular tools for malicious purposes. The malware’s ability to conduct sophisticated operations, such as multi-stage decryption, process injection, and targeted data exfiltration, underscores its threat to user privacy and security. It has been particularly prevalent in regions such as India, the United States, and Europe, according to McAfee’s telemetry data.
Suggested Corrections:
Endpoint Security Measures:
- Deploy advanced endpoint protection solutions with behavioral analysis capabilities to detect and block malicious activities such as process injection, clipboard monitoring, and unauthorized file creation.
- Use reputable antivirus software that includes heuristic and real-time threat detection.
- Avoid downloading software from untrusted sources, including Telegram channels or other unofficial distribution platforms.
- Verify the authenticity of software using hashes or digital signatures provided by trusted vendors.
- Implement URL filtering to block access to known malicious domains
- Monitor outbound traffic for anomalous connections to untrusted domains or C2 servers.
- Use intrusion detection/prevention systems (IDS/IPS) to identify suspicious activities, such as unauthorized POST requests or process injection attempts.
https://www.mcafee.com/blogs/other-...m-channels-are-fueling-malware-proliferation/