Lumma Stealer, a malware stealing information, is spreading through Telegram channels disguised as crack software, as Telegram’s popularity allows bypassing traditional security measures.
Researchers detect Lumma Stealer as Trojan:Win/Lummastealer.SD based on threat intelligence and real-time monitoring, which is most prevalent in India, followed by the USA and Europe.
Two related Telegram channels (hitbase with 42k subscribers and sharmamod with 8.66k subscribers) are observed forwarding messages to each other, likely for wider distribution.
The analyzed CCleaner 2024.rar file contains a malicious .NET executable, where the malware utilizes a custom decryption function to decrypt two encrypted data blocks in memory.
The first decrypted block reveals API calls related to process injection, indicating the malware’s potential to inject malicious code into running processes, which suggests that the malware aims to establish persistence and execute malicious actions on the compromised system.
An analysis revealed a multi-stage attack leveraging process injection into RegAsm.exe, where the initial stage, a Visual C++ compiled binary, decrypts and writes two .NET payloads (Lumma_stealer and clipper) to the AppData\Roaming folder.
A sophisticated and well-coordinated attack is indicated by the fact that both payloads use the same decryption method as the primary executable has been used.
Lumma stealer, hidden within a .NET file, utilizes a 32-bit GUI PE to steal data, which dynamically loads winhttp.dll for network communication, while decoded Base64 strings within the binary reveal obfuscated C2 server domains.
It connects to these pre-defined domains and also extracts the Steam account name to dynamically construct another C2 domain, which allows the malware to exfiltrate data to attacker-controlled servers while evading basic detection by dynamically generating C2 communication channels.
Malware disguised as a .NET executable (“Runtime64.exe”) obfuscates usernames and steals data, which decodes Base64-encoded configuration from the C2 server (“marshal-zhukov.com”) to target browser info, FTP/email credentials, system details, and wallets.
A clipboard monitor with predefined regex patterns scans for crypto wallet addresses, replacing them with a malicious address for theft upon detection by employing a mutex to prevent duplicate instances and setting itself to run at startup while hiding its presence.
According to McAfee, Lumma Stealer, a sophisticated malware, is spreading rapidly through Telegram channels, highlighting the evolving nature of cyber threats that are capable of stealing sensitive data and underscores the importance of robust cybersecurity measures.
Users are able to effectively mitigate the risks that are posed by emerging cyber threats such as Lumma Stealer if they remain vigilant and make use of thorough security solutions.