This article discusses the utilization of Reflective Loading by threat actors to deliver Lumma Stealer malware payloads. The technique allows for malicious code execution directly in memory, making it resistant to file system monitoring. The analysis includes a PowerShell script example and outlines the decoding process along with various related indicators of compromise. Affected: Lumma Stealer, security systems, victims of malware attacks
Keypoints :
- Threat actors employ Reflective Loading to deliver Lumma Stealer payloads.
- Reflective Loading bypasses traditional file system defenses by executing code directly in memory.
- A PowerShell script associated with Lumma Stealer is presented as an example.
- The script uses methods like .replace() and FromBase64String for modifying and decoding payloads.
- RegSvcs.exe is misused in the script to obfuscate the malicious payload execution.
- Dynamic analysis shows the payload running under the disguise of a legitimate utility.
- Lumma Stealer now uses ChaCha20 for command and control (C2) encryption.
- IOCs related to the Lumma Stealer are extracted and shared.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The script utilizes legitimate .NET utility (RegSvcs.exe) to hide the payload execution.
- T1059.001 – PowerShell: The article describes the use of PowerShell script for delivering and executing the Lumma Stealer payload.
- T1203 – Exploit Public-Facing Application: Reflective loading allows execution without writing files, thus avoiding detection.
Indicator of Compromise :
- [C2 Domain] broadecatez[.]bond
- [C2 Domain] tranuqlekper[.]bond
- [C2 Domain] granystearr[.]bond
- [C2 Domain] quarrelepek[.]bond
- [SHA256] 90e35b4a519af394e32cd09d34c6d5f60b31726672aa41e37e2163c387f96a75