Researchers Discover New Variant of Lumma InfoStealer Featuring Code Flow Obfuscation

A newly discovered variant of the Lumma InfoStealer malware has been analyzed by researchers at the Trellix Advanced Research Center, revealing significant enhancements in its stealth and persistence mechanisms.

Originally identified in 2022, Lumma continues to evolve rapidly, posing serious risks to personal and organizational data.

The latest analysis highlights the stealer’s aggressive use of code flow obfuscation and dynamic API resolution to evade detection and hinder reverse engineering activities.

Stealthy Infection Chain and Obfuscation

The recent campaign leverages heavily obfuscated PowerShell scripts as an initial infection vector.

These scripts deliver and execute two key payloads: a Crypto Obfuscator-protected .NET loader (GOO.dll) and the Lumma Stealer binary itself.

The loader injects the malicious payload into the legitimate RegSvcs.exe process, allowing Lumma to operate under the guise of a trusted Windows utility.

This sophisticated delivery not only evades sandbox-based analysis but also complicates detection by endpoint security systems.

According to the Report, once executed, Lumma employs multiple advanced anti-analysis techniques.

Most notably, it uses code flow obfuscation: the logical links between code blocks are dynamically calculated at runtime, breaking the code flow in a way that defeats static analysis and decompilation tools.

The malware also dynamically decrypts and resolves API names at runtime bypassing conventional patterns that security solutions monitor.

By leveraging direct inspection of the Process Environment Block (PEB) and custom API hash tables, Lumma avoids calling functions like LoadLibrary and GetProcAddress that are often flagged by behavioral detection systems.

Additionally, the stealer supports the “Heaven’s Gate” technique, enabling 32-bit code to execute 64-bit instructions on compatible systems.

Lumma even remaps ntdll.dll for clean, unhooked syscall invocation, minimizing the risk of interception by modern endpoint detection and response (EDR) products.

Sandbox and Regional Awareness

Lumma checks for artifacts associated with known sandboxes, antivirus DLLs, and virtual machines using hardcoded hashes.

If the malware detects a Russian system locale (language code 0x419), it terminates its execution to avoid infecting devices in that region a common tactic among malware originating from Russian-speaking threat actors.

C2 communication is protected through encrypted domain lists and backup mechanisms.

If all C2 domains are unreachable, Lumma generates new C2 URLs from Steam Community profile usernames, which are themselves encrypted and regularly updated.

Once communication is established, the stealer receives an encrypted configuration file specifying targets for data theft, including web browsers, cryptocurrency wallets, password managers, VPN clients, FTP applications, and messaging apps like Telegram and Discord.

The exfiltration process is highly automated, identifying nearly 90 specific applications and critical file locations across a compromised host.

Lumma also attempts to disable ETWTi (Event Tracing for Windows Threat Intelligence) callbacks that security tools rely on, further impeding incident detection and response.

This latest Lumma variant exemplifies the ongoing arms race between malware developers and the security industry, showcasing a blend of innovative evasion and modular data theft.

Organizations must proactively update defenses, leverage behavioral analytics, and maintain rigorous endpoint protection to counter this evolving threat.

Indicators of Compromise (IoCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates