Researchers detected Lumma Stealer activity across multiple online samples, including two PowerShell scripts (Trigger.ps1 and BMB1tcTf.txt) and an EXE installer (hhh.exe), which exhibit a parent-child relationship, with Trigger.ps1 likely initiating the infection chain.
Each of the three samples establishes a connection to the same C2 server, which is indicative of coordinated malicious activity.
Lumma Stealer is a sophisticated information stealer targeting sensitive data from various browsers, cryptocurrency wallets, and popular applications, focusing on the recent attack methods employed by this threat actor, using these specific samples as case studies.
The script Trigger.ps1 downloads a file BMB1tcTf.txt, which executes hhh.exe upon finding a legitimate environment. hhh.exe is a GHOSTPULSE malware loader that retrieves information about the operating system, hardware, loaded modules, and running processes.
It then creates a new process using the more.com command and injects its own payload using process doppelgänging to achieve malicious goals.
Process Doppelgänging is a technique attackers use to inject malicious code into a legitimate process, which leverages the Windows Transactional NTFS (TxF) functionality to create a temporary copy of a legitimate executable file in memory.
The attacker then injects their malicious code into this copy, and the system is tricked into loading the malicious code instead of the legitimate process, all while the original file on disk remains unchanged, which makes process doppelgänging difficult to detect as it bypasses traditional signature-based security solutions.
A malware technique used by Lumma Stealer to steal sensitive information from a victim’s machine, where the malware first creates a child process and uses a technique called “Heaven’s Gate” to inject malicious code into the process.
This injected code can then steal a variety of sensitive information, including system information, clipboard data, and browser passwords. Once the information is stolen, the malware transmits it to a command and control (C2) server.
When the malware connects to the C2 server, it first sends a message to confirm that the server is online and then it sends a second message that includes the stolen information.
The second message contains several parameters, including “act=recive_message,” which indicates that the malware is requesting to receive messages; “ver=4.0,” which indicates the version of the malware; and “lid=5Fwxx–xxx1,” believed to be a unique identifier for the communication session.
According to Tianqiong sandbox analysts, Lumma Stealer is a trojan that steals passwords from the Firefox browser, which disguises itself as normal applications or files and spreads through phishing attacks, malicious advertisements, software vulnerabilities, or other social engineering means.
The stolen data is sent multipart/form-data with boundary string SR3SP0I59JAF4M1, which includes hwid (hardware ID), pid (process ID), lid (liefid, i.e., session ID), act, and compressed stolen data.
