eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into early October. Lumma Stealer (aka LummaC2 Stealer) is an information stealer malware which operates as Malware-as-a-Service (MaaS) in Russian-speaking forums. The malware is capable of stealing sensitive details from victim devices, including credentials.
Recent observations of Lumma Stealer have involved the ClickFix initial access method, where end-users are socially engineered into copying and executing attacker-provided PowerShell commands.
As there is an ongoing Lumma Stealer campaign, organizations are recommended to validate their security controls and educate users on common initial access techniques, such as ClickFix.
What we’re doing about it
eSentire MDR for Endpoint and eSentire MDR for Network detect Lumma Stealer
eSentire’s proprietary machine learning platform BlueSteel, in tandem with eSentire MDR for Endpoint, detect malicious PowerShell usage
The eSentire Threat Intelligence team has performed indicator-based threat hunts for Lumma Stealer
Known malicious infrastructure is blocked via the eSentire Global Block List
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
Ensure antivirus signatures are up-to-date
Confirm Endpoint Detection and Response (EDR) technology is deployed across all workstations and servers
Train users to identify and report potentially malicious content
Users should specifically be aware of the ClickFix malware distribution technique (see Figure 1)
Additional information
Lumma Stealer activity was first identified in August of 2022, and the malware has been common across the threat landscape since. Its capabilities include stealing data from cryptocurrency wallets, 2FA browser extensions, and a variety of other applications. The malware is reportedly developed by a known threat actor operating under the name Shamel. As it is offered for sale on Russian-speaking cybercrime forums, it is employed by various threat actors and its use and delivery vary by campaign.
In recently observed Lumma Stealer incidents, end-users browsed to a malicious web page. Public reporting suggests that victims are directed to the malicious page via emails or cracked applications. The page redirects potential victims to a second website which impersonates a CAPTCHA authentication page. The fake CAPTCHA page instructs victims to open a command prompt, enter an attacker provided PowerShell command, and execute it. Following these steps results in the deployment of a loader, such as GoInjector or Hijackloader, which in turn leads to the final deployment of Lumma Stealer. The tactic of fake CAPTCHA pages to trick end-users into executing PowerShell is known as ClickFix; an example of this is shown below.
Figure1: ClickFix Fake Landing Page
Organizations need to ensure that their staff are aware of common threats and malware delivery techniques. Ensuring staff are educated on these tactics will reduce the success of social engineering attacks and increase the likelihood of users reporting potentially malicious content. The eSentire product suite maintains a variety of detections relevant to Lumma Stealer and PowerShell abuse, and the Threat Intelligence team continues to track this and other malware campaigns for additional detection opportunities.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
