Microsoft’s Investigation into Lumma Stealer
Microsoft Threat Intelligence has been tracking Lumma Stealer, a malware as a service (MaaS) offering used by multiple financially motivated threat actors to target various industries. Our investigation reveals a dynamic and resilient ecosystem spanning phishing, malvertising, abuse of trusted platforms, and traffic distribution systems.
Lumma Stealer Distribution Infrastructure
Lumma Stealer leverages a broad and evolving set of delivery vectors, including:
- Phishing emails impersonating known brands and services
- Malvertising through fake advertisements in search engine results
- Drive-by downloads on compromised websites
- Trojanized applications bundled with Lumma binaries distributed through file-sharing platforms
- Abuse of legitimate services like GitHub and ClickFix technique using fake CAPTCHA pages
- Dropped by other malware like DanaBot
These methods demonstrate threat actors’ resourcefulness in impersonation tactics and multi-vector delivery strategies to evade detection.
Technical Analysis of Lumma Stealer
The core Lumma Stealer malware is written in C++ and ASM, with advanced obfuscation techniques such as LLVM core, Control Flow Flattening (CFF), and Control Flow Obfuscation. It targets browsers based on Chromium and Mozilla technology, including Microsoft Edge, and steals sensitive information like saved passwords, session cookies, autofill data, cryptocurrency wallets, and extensions.
Process Injection and Information-Stealing Capabilities
Lumma Stealer uses process hollowing to inject its malicious payload into legitimate system processes. It targets a comprehensive set of user data, including:
- Browser credentia and cookies
- Cryptocurrency wallets and extensions
- Various applications like VPNs, email clients, FTP clients, and Telegram applications
- User documents with specific file extensions (.pdf, .docx, .rtf)
- System metadata like CPU information, OS version, and installed applications
C2 Communication
Lumma Stealer maintains a robust C2 infrastructure using a combination of hardcoded tier 1 C2s, fallback C2s hosted as Steam profiles and Telegram channels, and Cloudflare proxy. The C2 communication is encrypted by HTTPS, with different types of obfuscation applied to each set of C2 servers.
Mitigation Strategies
To reduce the impact of this threat, Microsoft recommends:
- Strengthening Microsoft Defender for Endpoint configuration
- Enabling tamper protection, network protection, and web protection
- Running endpoint detection and response (EDR) in block mode
- Configuring investigation and remediation in full automated mode
- Implementing attack surface reduction rules to prevent common attack techniques
Additional recommendations include requiring multifactor authentication (MFA), leveraging phishing-resistant authentication methods, and enabling Network Level Authentication for Remote Desktop Service connections.
