The Cybereason GSOC team have uncovered a sophisticated attack campaign leveraging the LummaStealer malware, now abusing the legitimate Windows utility mshta.exe to execute remote code under the guise of an .mp4 file.
This new initial payload method further enhances LummaStealer’s evasion capabilities, enabling attackers to sidestep host-based detection and escalate the threat posed to Windows environments.
Technical Overview
LummaStealer, first identified in 2022 and developed by Russian-speaking adversaries, operates as a MaaS (Malware-as-a-Service) targeting credentials, cookies, cryptocurrency wallets, and other sensitive assets.
The newest tactic involves the distribution of malicious payloads via phishing emails.
Victims are directed to interact with a fake CAPTCHA page, which instructs them to copy and execute an obfuscated command in the Windows Run dialog triggering the mshta.exe utility.
The attack chain begins with mshta.exe interpreting a URL or file path masquerading as an .mp4 multimedia file.
According to the Report, this pseudo-media file contains a hex-encoded, heavily obfuscated JavaScript payload.
Upon execution, the JavaScript decodes and launches a second-stage PowerShell payload via the eval() function, bypassing browser-based security controls by operating under the context of a trusted Windows binary.
Subsequent stages involve further layers of obfuscation and multi-stage payload delivery:
- Stage 2: The PowerShell script is encrypted via AES and includes hard-coded decryption keys, rendering the malware resilient to superficial static analysis. Decryption and analysis via CyberChef revealed a command to fetch additional payloads from controlled infrastructure, confirming advanced persistence mechanisms.
- Stage 3: The decrypted content executes further PowerShell code, featuring layered obfuscation and in-memory XOR-decoding routines. This phase culminates in the retrieval of a highly obfuscated .NET assembly, which is injected directly into memory, facilitating AMSI (Antimalware Scan Interface) bypasses and seamless credential exfiltration.
- Stage 4: The .NET assembly exploits system APIs, targeting password storage and proxy settings, highlighting an explicit focus on both data theft and establishing resilient command and control (C2) communications.
Underground Ecosystem and Monetization
LummaStealer’s operators have institutionalized their monetization pipeline via an internal Telegram marketplace, supplying both aspiring and experienced threat actors.
Buyers can filter and purchase logs by country, wallet, or application-specific credentials, with a robust rating and review system mirroring legitimate e-commerce platforms.
The platform’s automation, advanced search functions, and direct cryptocurrency payments ensure a high degree of operational security and user convenience.
Security researchers have observed rapid iterations and enhancements to the LummaStealer suite, including non-resident loaders and modular payload morphing, particularly in versions aligned with the Professional and Corporate subscription tiers.
This trend underscores the ongoing professionalization of MaaS offerings, making advanced information-stealing tools accessible to a broader pool of cybercriminals.
The abuse of mshta.exe as a “living-off-the-land” binary (LolBin) represents a substantial threat, as it enables attackers to evade application whitelisting and endpoint defenses. Organizations are urged to:
- Implement strict application control and monitoring for mshta.exe and PowerShell activities.
- Enhance phishing awareness to reduce social engineering success.
- Integrate IOCs into SIEM and EDR platforms for proactive detection and response.
LummaStealer’s evolving abuse of trusted Windows utilities and its integration with well-structured underground marketplaces highlight the necessity for robust endpoint monitoring, rapid IOC update cycles, and continuous user education to counteract such multi-faceted threats.
Indicators of Compromise (IOC)
| IOC | Type | Description |
|---|---|---|
| klipderiq[.]shop | DOMAIN | C2 |
| check[.]qlkwr[.]com | DOMAIN | C2 |
| 172[.]67[.]144[.]135 | IP | C2 |
| 104[.]21[.]224 | IP | C2 |
| xian[.]klipderiq[.]shop | DOMAIN | C2 |
| simplerwebs[.]world | DOMAIN | C2 |
| affc[.]klipcewucyu[.]shop | DOMAIN | C2 |
| klipdiheqoe[.]shop | DOMAIN | C2 |
| Ef85ba125184cbb92b3abf780fa9dbf0a1f1d4d0 | HASH | Executable |
| 104[.]21[.]64[.]1 | IP | C2 |
| extranet-captcha[.]com > 77.105.164[.]117 | DOMAIN/IP | C2 |
| kliphylj[.]shop | DOMAIN | C2 |
| klipbyxycaa[.]shop | DOMAIN | C2 |
| goatstuff[.]sbs | DOMAIN | C2 |
| awagama2[.]org | DOMAIN | C2 |
| 176[.]113[.]115[.]170 | DOMAIN | C2 |
| sakura[.]holistic-haven[.]shop | DOMAIN | C2 |
| 30b18eb4082b8842fea862c2860255edafc838ab | HASH | Executable |
| f2ec439b1f1b8d7dcc38d979bcf6ad64fe437122 | HASH | Executable |
| heavens[.]holistic-haven[.]shop | DOMAIN | C2 |
| b9ff81cc8ad9e4d30df66fe520d1a0f5231902a6 | HASH | Executable |
| … | … | … |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
