The Rise of Malware-as-a-Service (MaaS) and Lumma Info Stealer

Lumma is one example of Malware-as-a-Service (MaaS), which has become a concerning trend in the cybersecurity landscape. This model allows novice threat actors to execute complex cyber attacks with ease, leveraging inexpensive and user-friendly tools. Information stealers, a type of MaaS, specialize in extracting sensitive data like login credentials and bank details from compromised devices. This can lead to substantial financial losses for individuals and organizations.

Lumma Info Stealer: A Growing Threat

Lumma, first advertised on dark web forums in 2022, is a potent information stealer targeting cryptocurrency wallets, browser extensions, and two-factor authentication (2FA). It’s a subscription-based malware with over 1,000 subscribers as of May 2023, available for purchase on its official seller page for $250. With over a dozen command-and-control servers observed, Lumma’s presence is increasingly evident.

Darktrace’s anomaly-based threat detection has successfully identified and monitored multiple instances of Lumma stealer activity between January and April 2023, providing crucial visibility into its operations. Its primary goal is to pilfer sensitive information from compromised machines, including login credentials and other sensitive data, which can lead to substantial financial losses for individuals and organisations.

Lumma’s Capabilities

Lumma can extract system data, installed programs, and sensitive information from compromised devices, including:

• Cookies
• Usernames and passwords
• Credit card numbers
• Connection history
• Cryptocurrency wallet data

Recent Activity

Between January and April 2023, Darktrace observed Lumma malware activity across multiple customer deployments, primarily in the EMEA region and the US. This activity involved data exfiltration to external endpoints linked to the Lumma malware, likely resulting from trojanized software downloads or malicious emails containing Lumma payloads.

Lumma malware is typically distributed through cracked or fake popular software, such as VLC or ChatGPT, and via phishing emails impersonating well-known companies. For instance, a South Korean streamer was targeted with a spear-phishing email disguised as Bandai Namco in February 2023.

Targeted Systems and Data

Lumma targets include:

• Windows operating systems (Windows 7 to 11)
• Multiple browsers (Google Chrome, Microsoft Edge, Mozilla Firefox)
• Crypto wallets (Binance, Ethereum)
• Crypto wallet and 2FA browser extensions (Metamask, Authenticator)
• Applications (AnyDesk, KeePass)

Consequences of Infection

A Lumma infection can lead to significant financial losses due to stolen credentials and hijacked bank accounts, potentially resulting in unauthorized transactions and drained bank accounts. Compromised cryptocurrency wallets and lost digital assets can further exacerbate the financial damage. Additionally, identity theft and damaged credit scores can have long-lasting consequences for individuals, while organizations may face financial fraud, reputational damage, and potential regulatory repercussions. Overall, the severity of these consequences highlights the importance of robust cybersecurity measures to prevent Lumma infections and protect sensitive information.

Darktrace Detection

Darktrace has observed Lumma-infected devices exfiltrating data to C2 servers via HTTP POST requests. Indicators of compromise include:

• URI “/c2sock”
• User-agent “TeslaBrowser/5.5”
• Unusual IP addresses (e.g., 82.117.255[.]127)

Darktrace’s Self-Learning AI detects deviations from expected behavior, alerting security teams to potential threats.

 Accessing the IP address associated with Lumma’s C2 server and modifying the URI to “/login” led to a Russian Lumma control panel access page. This discovery suggests a potential link to organized cybercrime groups.

Multiple Malware Strains

Darktrace observed connections related to various malware strains, including:

• Laplas Clipper
• Raccoon Stealer
• Vidar
• RedLine info-stealers
• Trojans

These malware strains are often marketed as Malware-as-a-Service (MaaS), making them accessible to inexperienced threat actors. The presence of multiple malware strains suggests potential collaboration between developers and traffer teams, organized cybercrime groups specializing in credential theft.

Conclusion

The rise of Lumma Stealer poses a significant threat to organizations and individuals. As a Malware-as-a-Service (MaaS), Lumma is accessible to threat actors of all expertise levels, likely increasing the number of incidents. To combat this, organizations need security measures that detect unusual behavior, rather than relying on static indicators of compromise.

Darktrace’s anomaly-based detection successfully identified Lumma infections across various customer environments, providing full visibility into:

• Unusual connections to C2 infrastructure
• Data exfiltration

This enabled affected customers to identify compromised devices, prevent further data loss, and reduce the risk of significant financial losses.