Lumma Stealer ClickFix Distribution

THE THREAT

Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into early October. Lumma Stealer (aka LummaC2 Stealer) is an information stealer malware which operates as Malware-as-a-Service (MaaS) in Russian-speaking forums. The malware is capable of stealing sensitive details from victim devices, including credentials. 

Recent observations of Lumma Stealer have involved the ClickFix initial access method, where end-users are socially engineered into copying and executing attacker-provided PowerShell commands. 

As there is an ongoing Lumma Stealer campaign, organizations are recommended to validate their security controls and educate users on common initial access techniques, such as ClickFix.  

What we’re doing about it

• eSentire MDR for Endpoint and eSentire MDR for Network detect Lumma Stealer
• eSentire’s proprietary machine learning platform BlueSteel, in tandem with eSentire MDR for Endpoint, detect malicious PowerShell usage 
• The eSentire Threat Intelligence team has performed indicator-based threat hunts for Lumma Stealer 
• Known malicious infrastructure is blocked via the eSentire Global Block List 
• The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

• Ensure antivirus signatures are up-to-date
• Confirm Endpoint Detection and Response (EDR) technology is deployed across all workstations and servers 
• Train users to identify and report potentially malicious content
  • Users should specifically be aware of the ClickFix malware distribution technique (see Figure 1)

Additional information

Lumma Stealer activity was first identified in August of 2022, and the malware has been common across the threat landscape since. Its capabilities include stealing data from cryptocurrency wallets, 2FA browser extensions, and a variety of other applications.  The malware is reportedly developed by a known threat actor operating under the name Shamel. As it is offered for sale on Russian-speaking cybercrime forums, it is employed by various threat actors and its use and delivery vary by campaign. 

In recently observed Lumma Stealer incidents, end-users browsed to a malicious web page. Public reporting suggests that victims are directed to the malicious page via emails or cracked applications. The page redirects potential victims to a second website which impersonates a CAPTCHA authentication page. The fake CAPTCHA page instructs victims to open a command prompt, enter an attacker provided PowerShell command, and execute it. Following these steps results in the deployment of a loader, such as GoInjector or Hijackloader, which in turn leads to the final deployment of Lumma Stealer. The tactic of fake CAPTCHA pages to trick end-users into executing PowerShell is known as ClickFix; an example of this is shown below. 

Organizations need to ensure that their staff are aware of common threats and malware delivery techniques. Ensuring staff are educated on these tactics will reduce the success of social engineering attacks and increase the likelihood of users reporting potentially malicious content. The eSentire product suite maintains a variety of detections relevant to Lumma Stealer and PowerShell abuse, and the Threat Intelligence team continues to track this and other malware campaigns for additional detection opportunities. 

Indicators of Compromise

References:

[1] https://www.esentire.com/blog/go-injector-leading-to-stealers
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/