LummApp Malware Campaign: Researcher Exposes Advanced Data Stealing Operation
In a recent revelation, Team Axon, the elite threat hunting division at Hunters, exposed a sophisticated malware campaign named “LummApp.” This operation employs a combination of advanced techniques, including DLL side-loading and browser extension-based attacks, to infiltrate systems, exfiltrate sensitive data, and evade detection.
LummApp’s core payload leverages the Lumma Info Stealer framework, a Software-as-a-Service (SaaS) malware designed to extract credentials, financial data, and more. As noted in the report, “Lumma remains a significant threat to individuals and organizations alike.” The malware deploys via malicious browser extensions capable of capturing screenshots, manipulating clipboard content, and tracking user browsing behavior.
The infection begins on websites offering cracked software or torrents. Users are lured into downloading ZIP files containing malicious MSI installers. Once executed, these installers unpack DLL files into directories under %AppData%/Roaming, where the attack takes shape.
A key technique exploited by LummApp is DLL side-loading. Legitimate signed executables, including obs-ffmpeg-mux.exe and Nvidia GeForce Experience.exe, are abused to load malicious DLLs. This tactic allows attackers to bypass traditional security controls and maintain persistence.
“The malware bypasses security controls and executes further malicious actions on the system,” the report highlights. These actions include injecting the Lummac2 executable into trusted system processes like explorer.exe.
A critical part of the LummApp campaign involves the deployment of obfuscated browser extensions. These extensions are crafted to:
- Capture screenshots of browser activity.
- Extract credentials from cookies and stored passwords.
- Disable Content Security Policy (CSP) to allow additional script injections.
According to Team Axon, “The end goal of the malware is to deploy a browser extension, which is composed of heavily obfuscated JavaScript functions.”
The campaign, first identified during an investigation at a European company, has global reach. Key targets include cryptocurrency wallets and email client data. Specific directories scanned for sensitive files include:
.kdbx
(KeePass password database files)metamask
(cryptocurrency wallet files)emClient
andPmail
(email client data)
Exfiltrated data is sent to attacker-controlled domains like Gulbur[.]com
and Hit-bone[.]com
, enabling remote access to stolen credentials and other sensitive information.
LummApp exemplifies the evolving threat landscape where attackers exploit legitimate software to distribute malware. “By exploiting legitimate DLLs associated with trusted OBS-signed files, the malware bypasses traditional security measures,” Team Axon warns.