Ddos 
Lumma stealer’s infection chain | Image: Trellix Advanced Research Center
Lumma Stealer, a prevalent threat since its emergence in 2022, continues to evolve its tactics to evade detection and maximize its impact. A recent analysis by Trellix Advanced Research Center has dissected the latest version of this Malware-as-a-Service (MaaS), revealing sophisticated techniques designed to thwart analysis and security measures.
Lumma Stealer is distributed through obfuscated PowerShell scripts that employ Base64 encoding to conceal two executable files: a .NET loader (GOO.dll) and the Lumma payload itself. The PowerShell script leverages the Reflection API to load the .NET executable, which in turn injects the Lumma binary into the RegSvcs.exe process. This injection allows the malware to operate under the guise of a legitimate utility.
The latest Lumma version incorporates advanced code flow obfuscation, significantly hindering decompilers and rendering static analysis ineffective. According to the Trellix analysis, “Lumma employs advanced codeflow obfuscation techniques to significantly complicate the analysis,” making it difficult to uncover the program’s true logic.
To further evade detection, Lumma utilizes API hashing to dynamically resolve API functions at runtime, avoiding the use of easily monitored APIs like LoadLibrary and GetProcAddress.
On 64-bit systems, Lumma employs the Heaven’s Gate technique to execute 64-bit code from a 32-bit process. This involves transitioning to 64-bit code using the ‘jmp far 33’ instruction.
Lumma also attempts to disable Event Tracing for Windows (ETW) by invoking the NtSetInformationProcess API to remove callbacks set by security software, preventing monitoring of its system calls. The analysis states that “By setting the Callback field to 0 in the structure, callbacks set by security softwares like ETW (Event Tracing for Windows) are removed and this prevents those software from monitoring the system calls made by Lumma stealer.”
Lumma Stealer incorporates anti-sandbox techniques to detect and evade analysis within virtual environments. It achieves this by checking for the presence of specific sandbox and antivirus-related DLLs. Additionally, Lumma may perform virtual machine detection based on the C2 server’s response, using the CPUID instruction to identify VM environments.
Lumma establishes command and control (C2) communication with encrypted domains, utilizing a backup system that involves leveraging the Steam community website to generate C2 URLs if primary domains are unavailable. The malware exfiltrates a wide range of sensitive data, targeting information from web browsers, email applications, cryptocurrency wallets, and password managers. The configuration file details the specific data to be stolen, including file paths and application data.
The decrypted config reveals a vast loot list:
- 89 wallet and password manager apps (MetaMask, TrustWallet, BinanceChainWallet, LastPass)
- Mail clients (TheBat, Pegasus, Mailbird)
- VPNs, cloud storage, FTP tools, and browsers
- Critical file paths searched and exfiltrated, with size limits and recursion rules
Lumma Stealer demonstrates a high level of sophistication in its design and implementation. By employing advanced obfuscation, anti-analysis, and evasion techniques, it poses a significant challenge to security measures.
Related Posts:
- Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
- MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
- LUMMA Malware: Cybercriminals Elevate Tactics with Fake Invoice Campaign
- Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
- Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
Donate