Introduction
Lumma Stealer (formerly LummaC2) is an info stealer malware that has been sold on underground forums[1] since August 2022. Current versions of this malware are developed in .NET programming language. It has gained attention due to its capabilities to harvest sensitive data such as passwords, browser data, cryptocurrency wallets and more from infected systems. Lumma Stealer operates as a malware-as-a-service (MaaS) offering advertised on underground forums[2]. Previously Lumma Stealer has been observed being distributed through phishing campaigns containing malicious attachments but has more recently been observed associated with fake CAPTCHA websites that encourage users to execute malicious payloads directly[3]. It has also been distributed through trojanized software setups, malicious advertisements, malicious attachments linked to YouTube videos, and software setup files shared on GitHub[4]. An example attack chain involving a fake update is outlined in Figure 1 below.
Attack Diagram
Figure 1. Lumma Stealer Attack Flow Diagram.
Analysis
To demonstrate FortiEDR’s ability to detect and mitigate activity associated with the deployment of Lumma Stealer we downloaded zip file from a Lumma Stealer campaign and extracted Lumma malware exe and detonated it to see its behavior. It should be noted that FortiEDR was set to ‘Log Only’ mode to observe the complete malware behavior. In prevention mode behavior associated with these security events would be prevented by FortiEDR.
When the malware file ExtremeInjector.exe is executed, it is detected by FortiEDR as malicious based on matching with known malicious signatures detected through FortiEDR’s integration with FortiGuard Threat Intelligence feeds, online sandboxing analysis, and machine learning engine integrations. This generates a ‘File Execution Attempt’ event triggered by the ‘Unconfirmed File Detected’ rule from the ‘Execution Prevention’ security policy. The resulting security event can be observed in Figure 2 below.
Figure 2. FortiEDR detects Lumma Stealer as malicious.
When execution is continued the ExtremeInjector.exe extracts a DLL file ‘nwoeccfdjrjxawfdtbmkwzlxsncja.dll’ in memory and loads it to current process using reflective loading. (T1620 - Reflective Code Loading). This generates an ‘In memory Execution’ event triggered by rule ‘Unconfirmed Executable’ from the ‘Exfiltration Prevention’ security policy. This security event can be observed in Figure 3 below.
Figure 3. FortiEDR blocks the ‘In memory loading’ of DLL file by the malware executable.
Following this reflective loading, the process ‘ExtremeInjector.exe’ creates a DLL file with name ‘d3d9.dll’ at the path ‘C:\Users\<UserName>\AppData\Roaming\d3d9.dll.’ Since this process has been flagged as malicious due to previous malicious behavior, this file creation behavior is also detected and blocked by FortiEDR. This security event can be observed in Figure 4 below.
Figure 4. FortiEDR blocks creation of d3d9.dll file by malware process
After creation of this DLL the process ‘ExtremeInjector.exe’ spawns a benign child process ‘C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe.’ The ‘aspnet_regiis.exe’ is a legitimate Microsoft.NET framework file used for registration of ASP.NET applications within Microsoft IIS. The process ‘ExtremeInjector.exe’ performs process hollowing on the newly created ‘aspnet_regiis.exe’ process and insert code into it. Once the ‘aspnet_regiis.exe’ process has been hollowed and begins executing, the injected code starts connecting to various web URLs over HTTPs protocol. Since the ‘aspnet_regiis.exe’ process has triggered rules for ‘Process Hollowing’ and ‘Process Injection’ this C2 network communication were flagged as malicious and were detected and blocked by FortiEDR. This security event can be seen in Figure 5 below.
Figure 5. FortiEDR security event associated with network connection attempts from the hollowed ’aspnet_regiis.exe’ process.
As part of these network connection attempts the hollowed process ‘aspnet_regiis.exe’ sends multiple HTTPS web requests to multiple URLs. The list of URLs is given in Figure 6 below.
|
Sr. No. |
Communicated URL |
Status |
|
1 |
hxxps[:]//beearvagueo[.]site:443 |
Known Lumma C2 |
|
2 |
hxxps[:]//steamcommunity[.]com:443 |
Benign |
|
3 |
hxxps[:]//pedestriankodwu[.]xyz:443 |
Known Lumma C2 |
|
4 |
hxxps[:]//towerxxuytwi[.]xyz:443 |
Known Lumma C2 |
|
5 |
hxxps[:]//ellaboratepwsz[.]xyz:443 |
Known Lumma C2 |
|
6 |
hxxps[:]//penetratedpoopp[.]xyz:443 |
Known Lumma C2 |
|
7 |
hxxps[:]//swellfrrgwwos[.]xyz:443 |
Known Lumma C2 |
|
8 |
hxxps[:]//contintnetksows[.]shop:443 |
Known Lumma C2 |
|
9 |
hxxps[:]//foodypannyjsud[.]shop:443 |
Known Lumma C2 |
|
10 |
hxxps[:]//potterryisiw[.]shop:443 |
Known Lumma C2 |
|
11 |
hxxps[:]//extorteauhhwigw[.]shop:443 |
Known Lumma C2 |
Figure 6. Table showing List of URL which are communicated by the Lumma Stealer
These web requests associated with these C2 communication attempts can be observed in FortiEDR threat hunting telemetry as shown in Figure 7 below.
Figure 7. FortiEDR threat hunting telemetry showing C2 URL accessed by the Lumma Stealer
Leveraging FortiGuard threat intelligence through the Fortinet Central Threat System (CTS) we were able to identify that ten of the eleven URLs were found to be known Lumma C2 URL. The remaining URL was for Steam Community, an online marketplace and forum linked to the Steam game service. CTS data related to these malicious URLs can be observed in Figure 8 below.
Figure 8. FortiGuard CTS data showing URLs identified in network traffic tagged with Lumma Stealer C2
Since we did not observe any credential dumping activity by the malware sample, it is likely that the Lumma payload did not get the expected response from the C2 server. As a result, it halted its operation. As we have seen in the article the hollowed process was marked as malicious due to the suspicious loading behavior so any further activities such as dumping credential files or reading data from browser related files would be blocked by FortiEDR.
Conclusion
As highlighted in this article FortiEDR is able to detect and mitigate the risk associated with Lumma Stealer. We suspect that at the time of testing the C2 server of Lumma Stealer was down so no credentials were dumped on the machine. FortiEDR is able to block the malware execution at following stages:
- Initial execution
- In memory execution attempt
- Process Hollowing
- Process Injection
- C2 communication
We have observed different ways of distribution of Lumma Stealer. The initial delivery mechanism might differ, but all campaigns executed the .NET Lumma Stealer executable. The activities of this stealer executables are blocked by FortiEDR as discussed in the Article.
Some useful threat hunting queries and MITRE ATT&CK mappings are provided below to support the proactive threat hunting efforts.
Threat Hunting
The following threat hunting query will detect Library Loaded events when .NET utility aspnet_regiis.exe loads DLL files related to web communication. By default, this utility has functionality to modify IIS related settings. It does not need network communication and therefore does not need libraries like 'winhttp.dll' or 'dnsapi.dll' or 'webio.dll'[5].
Type: ("Library Loaded") AND Source.Process.Name: ("aspnet_regiis.exe") AND Target.Executable.File.Name: ("winhttp.dll" OR "dnsapi.dll" OR "webio.dll")
The following threat hunting query will detect If HTTP request have been made to following known Lumma C2 URLs. Note that these C2 URL are from current analyzed campaign and might need to be adjusted for future campaigns.
Type: ("HTTP Request") AND (URL: "https\:\/\/extorteauhhwigw.shop\:443" OR "https\:\/\/potterryisiw.shop\:443" OR "https\:\/\/foodypannyjsud.shop\:443" OR "https\:\/\/contintnetksows.shop\:443" OR "https\:\/\/swellfrrgwwos.xyz\:443" OR "https\:\/\/penetratedpoopp.xyz\:443" OR "https\:\/\/ellaboratepwsz.xyz\:443" OR "https\:\/\/towerxxuytwi.xyz\:443" OR "https\:\/\/pedestriankodwu.xyz\:443" OR "https\:\/\/beearvagueo.site\:443")
The following Threat Hunting query will provide Process Creation type events where source process exe file is creating process for file 'aspnet_regiis.exe'. Normally this file would not be called by other executables. There might be a false positive where custom legitimate exe is executing 'aspnet_regiis.exe' for some official purpose but a low false positive rate is expected.
Type: ("Process Creation") AND Source.Process.File.Ext:"exe" AND Target.Process.File.Name: ("aspnet_regiis.exe")
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1204 |
User Execution |
Victim is tricked into executing the initial malware executable embedded within downloaded zip file. |
TA0004 - Privilege Escalation
|
Technique ID |
Technique Description |
Observed Activity |
|
T1055.012 |
Process Injection: Process Hollowing |
ExtremeInjector.exe created process aspnet_regiis.exe and then inject its own code through process hollowing. |
|
T1055.002 |
Process Injection: Portable Executable Injection |
Process ExtremeInjector.exe tried to load DLL file in memory as executable in the process. |
TA0011 - Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
The Lumma sample uses HTTPS web protocol for C2 communication. |
|
T1573.002 |
Encrypted Channel: Asymmetric Cryptography |
HTTPS uses Asymmetric cryptography for communication. So, the communication is via Asymmetric Encrypted channel. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1027 |
Obfuscated Files or Information |
The main malware sample is obfuscated to make it difficult to reverse engineer. |
|
T1620 |
Reflective Code Loading |
Main malware sample loads DLL nwoeccfdjrjxawfdtbmkwzlxsncja.dll in memory using reflective loading. |
|
T1553.005 |
Subvert Trust Controls: Mark-of-the-Web Bypass |
Malware exe files are distributed in zip format to avoid being tagged as Mark-of-the-Web. |
IOC
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
33a2f464888fd8aedd2c4cd8f79e9e43321d8465 |
SHA1 Hash |
Installation |
Lumma executable file |
2024-07-02 |
|
Malicious Executable |
65F8E0E219637833386B6CFE27BD2F8446A214F02149628C63DD0329501E17E6 |
SHA256 Hash |
Installation |
Lumma executable file |
2024-07-02 |
|
Malicious Zip file |
4a850279e1427c8752661825588b5977f34f58ed |
SHA1 Hash |
Installation |
Lumma executable file |
2024-10-01 |
|
Malicious Zip file |
da1ca0395216ba48f6412fadf8f458b75adf56f27b93c27ba22b0f3a59023ce4 |
SHA256 Hash |
Installation |
Lumma executable file |
2024-10-01 |
|
Malicious URL |
hxxps[:]//beearvagueo[.]site:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-10-04 |
|
Malicious URL |
hxxps[:]//pedestriankodwu[.]xyz:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-30 |
|
Malicious URL |
hxxps[:]//towerxxuytwi[.]xyz:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-28 |
|
Malicious URL |
hxxps[:]//ellaboratepwsz[.]xyz:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-28 |
|
Malicious URL |
hxxps[:]//penetratedpoopp[.]xyz:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-30 |
|
Malicious URL |
hxxps[:]//swellfrrgwwos[.]xyz:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-28 |
|
Malicious URL |
hxxps[:]//contintnetksows[.]shop:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-28 |
|
Malicious URL |
hxxps[:]//foodypannyjsud[.]shop:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-28 |
|
Malicious URL |
hxxps[:]//potterryisiw[.]shop:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-28 |
|
Malicious URL |
hxxps[:]//extorteauhhwigw[.]shop:443 |
URL |
Command & Control |
Lumma C2 URL |
2024-06-28 |
[1] https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7
[2] https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer
[3] https://www.securityhq.com/blog/resurgence-in-lumma-stealer-malware-campaigns-notes-from-the-field/
[4] https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube
[5] https://learn.microsoft.com/en-us/previous-versions/k6h9cz8h(v=vs.100)
