Additionally, the ClickFix technique has been leveraged to propagate a new version of the Lumma Stealer malware, which now utilizes the ChaCha20 encryption algorithm to obscure its configuration file containing command-and-control (C2) server addresses. This evolution highlights the ongoing efforts of cybercriminals to evade detection and forensic analysis by implementing stronger encryption and obfuscation techniques. The continued refinement of such malware delivery methods underscores the need for heightened vigilance and advanced threat detection strategies in cybersecurity defenses.

Impact

• File Manipulation
• Sensitive Data Theft
• Gain Access

Indicators of Compromise

Domain Name

• eveverify.com

• eiesoft.com

• lynxcm.com

• incomputersolutions.com

• findkik.com

IP

MD5

• 9230704646d742931a2e89ae0f187bad

• ee75b57b9300aab96530503bfae8a2f2

SHA-256

• 16a178b33877f9c3219bbe1685bfb879b7c8ab8965dbc734fd49ecb02e8c9d01

• 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268

SHA1

• e23d862807abefae036ddc43e07a0eba46b542c2

• 98dd757e1c1fa8b5605bda892aa0b82ebefa1f07

Remediation

• Lock all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Deploy endpoint detection and response (EDR) solutions to monitor and block suspicious activities.
• Use network-based intrusion detection systems (IDS) to detect anomalous traffic patterns related to RAT activity.
• Implement web filtering to block access to malicious and compromised websites.
• Regularly update browser security settings to prevent malicious script execution.
• Restrict the execution of PowerShell scripts using Group Policy or allowlisting mechanisms.
• Enable logging for PowerShell commands to detect unauthorized activity.
• Scan for malicious PNG files and other suspicious attachments using advanced malware detection tools.
• Use file integrity monitoring (FIM) to detect unauthorized file modifications.
• Regularly update operating systems, browsers, and security software to mitigate vulnerabilities.
• Disable unnecessary remote administration tools to reduce the attack surface.
• Investigate and isolate compromised systems immediately upon detection.
• Conduct regular threat-hunting exercises to identify hidden infections or persistence mechanisms.
• Monitor and block communication with known NetSupport RAT and Lumma Stealer command-and-control (C2) servers.
• Maintain secure, offline backups of critical data to ensure recovery in case of infection.
• Test backup restoration processes regularly to confirm their effectiveness.