Summary:
The Lumma Stealer malware has experienced a significant rise in usage, with ESET reporting a 369% increase in detections during the second half of 2024. First discovered in 2022, Lumma has become one of the top ten most-detected infostealers, targeting high-value assets such as two-factor authentication browser extensions, user credentials, and cryptocurrency wallets. Its ability to compromise 2FA extensions is particularly concerning, as it enables attackers to bypass a critical layer of account security by stealing or intercepting authentication tokens. Additionally, Lumma scans systems for stored credentials in browsers, email clients, and remote desktop connections, while also targeting cryptocurrency wallet files from platforms like Electrum, Exodus, and Bitcoin Core. The malware can even monitor clipboard activity, replacing copied cryptocurrency addresses with attacker-controlled ones to redirect transactions.

Lumma is distributed through phishing emails containing malicious attachments, as well as via malicious ads or compromised websites using drive-by downloads. Once executed, the malware establishes persistence by creating registry entries and scheduled tasks, ensuring it remains active even after system reboots. It employs anti-detection techniques, such as obfuscation and virtual machine checks, to evade analysis. After harvesting credentials, wallet files, and other sensitive data, Lumma exfiltrates the stolen information to its command-and-control servers using encrypted HTTPS channels, reducing the likelihood of detection by security tools. The stolen data is then monetized through underground marketplaces, making Lumma a lucrative tool for cybercriminals.

Security Officer Comments:
According to ESET’s H2 2024 Threat Report, the ongoing refinement and deployment of Lumma Stealer illustrate how cybercriminals are increasingly focusing on tools that exploit modern security frameworks, creating challenges for defenders. As the report notes, the malware’s escalating detection rates reflect its growing adoption across diverse cyber campaigns, particularly those aimed at high-value credential and financial theft.

Suggested Corrections:
Mitigating Lumma Stealer requires a multi-layered approach. Use hardware-based two-factor authentication, like security keys instead of browser extensions and ensure 2FA configurations follow best practices. Avoid storing passwords in browsers; opt for a secure password manager with strong, unique passwords protected by multi-factor authentication. Secure cryptocurrency assets with cold wallets and regularly back up wallet files securely. Deploy robust email filtering solutions to block phishing emails and educate users on identifying phishing attempts and avoiding untrusted downloads or links. These steps can significantly reduce exposure to Lumma Stealer and similar threats.

Link(s):
https://www.infosecurity-magazine.com/news/infostealers-lumma-stealer/

PDF: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22024.pdf