eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
On January 21, 2025, the eSentire Threat Response Unit (TRU) identified new changes made to Lumma Stealer involving the usage of the ChaCha20 cipher for config decryption and has created a python script available here to aid in extracting the new config format.
These changes provide insight into the evasive tactics employed by the developer(s) who are actively working to circumvent current extraction and analysis tools.
Lumma Stealer (aka LummaC2 Stealer) is an information stealer malware that operates as a Malware-as-a-Service (MaaS) sold primarily in underground Russian-speaking forums. Lumma Stealer is commonly delivered through the ClickFix initial access method, where end-users are socially engineered into copying and executing malicious PowerShell commands provided by the threat actor(s). While ClickFix is the most prevalent initial access method, other initial access techniques have also been observed.
In recent cases analyzed by TRU, the infection process begins when the victim visits a compromised website or landing page for ClickFix. The ClickFix page stores a malicious command in the victim’s clipboard and the victim is instructed to open a Run Prompt via the keyboard shortcut “Windows Key + R”, press the keyboard shortcut “Ctrl + V” (to paste in the copied command), and finally press the “Enter” key to execute the malicious command.
Figure 1 – ClickFix initial access
The next figure shows a truncated portion of the ChaCha20 subroutine that is now used by Lumma for config decryption. This routine is passed several parameters, including a structure containing the ChaCha20 magic (16 bytes), 32-byte key, 8-byte nonce, encrypted C2 data, and the size of the encrypted data.
Note that the 8-byte nonce is padded with four null bytes.
Figure 2 – ChaCha20 routine
After unpacking the sample with SHA-256 7e286bb4491124116ba61ab0029b41862d502e4feee5420e0aa5ee4a29e722fa, and viewing it in a hex editor, we can see the 32-byte key and 8-byte nonce.
Note that this key and nonce differ from sample to sample.
Figure 3 – Key/none in unpacked image
eSentire's Lumma config decryption script can be found here. After running the script, the following C2 information was extracted:
Figure 4 – C2 and Build ID extracted
What did we do?
Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
We communicated what happened with the customer and helped them with remediation efforts.
What can you learn from this TRU Positive?
Lumma Stealer is a sophisticated information stealer that was recently updated to circumvent existing extraction and analysis systems.
Blue teams can use the information included in this TRU Positive for tracking, extracting, and identifying Lumma campaigns and C2s.
Recommendations from the Threat Response Unit (TRU):
Disable the Run prompt via GPO:
User Configuration > Administrative Templates > Start Menu and Taskbar > Enable “Remove Run menu from Start Menu”
Disable wscript.exe via AppLocker GPO or Windows Defender Application Control (WDAC):
C:\Windows\System32\WScript.exe
C:\Windows\Syswow64\WScript.exe
*:\Windows\System32\WScript.exe (* represents wildcard to include other drive letter rather than C drive)
*:\Windows\SysWOW64\WScript.exe (* represents wildcard to include other drive letter rather than C drive)
Disable mshta.exe via AppLocker GPO or Windows Defender Application Control (WDAC):
C:\Windows\System32\mshta.exe
C:\Windows\Syswow64\mshta.exe
*:\Windows\System32\mshta.exe (* represents wildcard to include other drive letter rather than C drive)
*:\Windows\SysWOW64\mshta.exe (* represents wildcard to include other drive letter rather than C drive)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
