Lumma Stealer, previously known as LummaC2, is a lightweight subscription-based information stealer offered under the Malware-as-a-Service (MaaS) business model that has been active since at least 2022. It has been advertised on Russian-speaking dark web forums since its origins but has also been seen being promoted on a Telegram channel since May 2023. As advertised, Lumma is approximately 150-200 KB and can affect operating systems ranging from Windows 7 to Windows 11.

At the beginning of its operation, Lumma will seek  to perform system profiling by gathering information such as operating system version, architecture and language, and hardware details, such as CPU and memory, in order to rule out unwanted targets.

Following target selection, it collects sensitive information, primarily looking for browser information (Chromium and Mozilla-based) such as browsing history, cookies, extensions, usernames/passwords, personal identification details, and credit card numbers. It will then seek to identify  cryptocurrency wallets and information related to two-factor authentication (2FA) before finally exfiltrating the collected information to the Command and Control (C2) server.

AttackIQ has released a new assessment template that brings together the post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Lumma Stealer during its latest activities to help customers validate their security controls and their ability to defend against this disruptive and destructive threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against a highly opportunistic, financially motivated threat.
• Assess your security posture against a threat interested in harvesting sensitive information in an automated and swift manner.
• Continuously validate detection and prevention pipelines against a threat interested in acquiring credentials that could be used for a subsequent attack.

Lumma Stealer – 2024-09 – Post-Compromise Tactics, Techniques and Procedures (TTPs)

This Assessment Template compiles all those post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Lumma Stealer during its most recent activities.

It is based on reports published by Cyble in January 2023, SOCRadar in February 2023, DarkTrace in September 2023, CyFirma in June 2024, Ontinue in August 2024, and eSentire in September 2024.

1. Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

System Binary Proxy Execution: Mshta (T1218.010): This scenario employs the Mshta Windows utility to download a remote Microsoft HTML Application (HTA) payload that includes VBScript code.

Process Injection (T1055): This scenario performs process injection by allocating memory in a running process with VirtualAlloc, writing shellcode to that memory space, and then changing the memory protection option with VirtualProtect.

Hijack Execution Flow: DLL Side-Loading (T1574.002): This scenario leverages a legitimate and trusted executable to side-load a malicious DLL.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell's -encodedCommand parameter.

2. Persistence

Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key that Windows uses to identify what applications should be run at system startup.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Virtualization/Sandbox Evasion (T1497): This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.

4. Discovery

Consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act.

Query Registry (T1012): This scenario queries the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings registry key which contains user-specific properties, such as proxy configurations, security zones, and privacy settings.

5. Command and Control

Techniques that adversaries may use to communicate with systems under their control within a victim network.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

6. Exfiltration

Consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption.

Exfiltration Over C2 Channel (T1041): This scenario exfiltrates Firefox sensitive information using the HTTP POST requests. It exfiltrates the cert9.db and key4.db from a Firefox session filled with staged credentials.

Detection and Mitigation Opportunities

Given the number of techniques used by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Hijack Execution Flow: DLL Side-Loading (T1574.002):

Malware will commonly use side-loading to load malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

1a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. Searching for newly constructed processes or monitoring for DLL/PE file events, specifically for the creation and loading of DLLs into running processes can help identify when a system process has been compromised.

1b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

2. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1546.001):

Preventing an actor from maintaining a foothold in your environment should always be one of the top priorities. During these activities, the adversary used registry keys to achieve persistence.

2a. Detection

Using a Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) Platform to see modifications to the Run and RunOnce keys will alert when unauthorized users or software makes modifications to the keys that allow programs to run after startup.

Process Name = reg.exe
Command Line CONTAINS (“ADD” AND “\CurrentVersion\Run”)

2b. Mitigation

MITRE ATT&CK does not have any direction mitigations as this is abusing legitimate Windows functionality. They recommend monitoring registry changes and process execution that may attempt to add these keys.

3. Exfiltration Over C2 Channel (T1041):

Adversaries may perform the exfiltration of sensitive data from the infected host. IDS/IPS and DLP solutions are well suited for detecting and preventing sensitive files from being sent to a suspicious external host.

3a. Detection

In some cases, data may be exfiltrated without any throttling or additional encoding or encryption from the backdoor. If that’s the case, data is sent via HTTP POST requests in plain text and therefore should be easier to detect using Data Loss Prevention controls.

Additionally, since these requests are not throttled, network traffic can be monitored for anomalous traffic flow patterns that can identify single systems, typically client assets that are sending out significant amounts of data.

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against this opportunistic threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a well-known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.