From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets

This article is a continuation of the previous research published on the malware LummaStealer: "Your Data Is Under New Lummanagement: The Rise of LummaStealer".

LummaStealer (aka LummaC2, Lummac, and Lumma Stealer) is a sophisticated malware that is spread as Malware-as-a-Service (MaaS). It was originally observed in 2022 and known to be developed by Russian-speaking adversaries. It targets a wide range of Windows systems. The developers of LummaStealer have shown a lot of agility to ensure their malware remains undetected and that the potential host-based detection rules put in place for a given sample do not apply to the new ones.

The Cybereason GSOC team were able to identify, classify, and respond accordingly, thanks to the advanced detection capabilities of the Cybereason EDR solution against the evolving tactics of LummaStealer.

This research article aims to provide detailed insights to assist security analysts in identifying, classifying, containing, and eradicating incidents involving LummaStealer. By highlighting the threat actor's new tactics, techniques, and procedures (TTPs), this article serves as a comprehensive resource to enhance incident response capabilities and support organizational defenses against this rapidly evolving threat.

INTRODUCTION

Previously, in the article titled “Your Data Is Under New Lummanagement: The Rise of LummaStealer" our security team highlighted the nature of LummaStealer, its distribution methods, and how threat actors attempted to achieve their objectives.

The key points to take away from the previous article can be summarized as follows:

LummaStealer is known as info-stealer malware having the ability to collect a wide range of sensitive data including credentials, cookies, cryptocurrency wallets, and other personally identifiable information.

Previously, our security team observed 6 different initial payloads associated with LummaStealer, showcasing the threat actors' diverse tactics to deploy the malware. These payloads included:

• DLL side-loading using vulnerable/cracked software
• MSI file with AutoIT script
• Python based DLL (Python setup.exe and DLL)
• Vulnerable/cracked software with LummaStealer payload
• MSI file with Executable and RAR
• ZIP file with PDF file decoy

New Observed Payload

In this article, we introduce an additional initial payload observed in recent LummaStealer campaigns, which demonstrates enhanced evasion techniques:

MSHTA Process Abuse

The mshta.exe process, a legitimate Windows utility, is abused to execute remote hosted code masquerading as an .mp4 file along an additional parameter that mimics a CAPTCHA.

Source: Cybereason EDR solution Attack Tree, fake captcha

This technique exploits trusted system processes to bypass defense mechanisms, delivering the malicious payload stealthily and increasing the likelihood of execution.

DELIVERY METHOD

As the malware is being distributed by many actors, there is no particular evidence pointing to a single delivery method. However, the Cybereason team has identified a recurring pattern in which the majority of successful malware deliveries have been observed via phishing emails. These emails typically contain malicious links that lead users to a fake CAPTCHA. Once the user interacts with the page, it further leads an execution in the background to deploy the first stage payload silently.

Source: Cybereason EDR solution , Machine Timeline, Phishing Evidence

INITIAL ACCESS

The user is socially engineered into clicking a malicious link that leads to a fake CAPTCHA page. This page contains a tactic where the user has been requested to copy a malicious script and paste it into the Windows Run dialog box, a utility that allows users to quickly launch services and execute commands.

Source: Compromised store spread Lumma Stealer using a fake CAPTCHA. (2024, December 24). seanthegeek.net.

Source: Cybereason EDR solution Attack Tree, mshta

DEOBFUSCATING THE MALWARE

Source: Cybereason EDR solution, LummaStealer.v2 successful deployment using mshta full attack tree

Reverse Engineering of the Malware

Stage 1 - Payload distributed through (mshta.exe) downloading a file masquerading as an mp4 file

System Binary Proxy Execution: Mshta

The mshta.exe process, a legitimate Windows utility, is exploited to execute Microsoft HTML applications (HTA) files. The HTA are standalone applications that operate using the same models and technologies as Internet Explorer but execute outside the browser environment. This technique is often used as a LolBin (Living off the land Binary) to bypass application control solutions that fail to account for its potential misuse, as well as browser security settings since the execution occurs outside the browser’s security context. This behavior is classified as T1218.005 under the MITRE ATT&CK framework.

The link directs the system to a specific directory masquerading as an MP4 multimedia file.

This file contains a combination of HEX and obfuscated JavaScript code, which the executable mshta.exe has the capabilities to open and execute.

Source: Cybereason EDR solution Attack Tree, powershell

The execution involves deploying the second stage payload, which is initiated through the malicious link. The link masquerades as an MP4 multimedia file containing embedded instructions that execute a highly obfuscated PowerShell Script. This script facilitates the deployment of the second stage payload advancing the threat actor’s objectives.

Opening the file disguised as an MP4 extension reveals heavily obfuscated JavaScript code.

Further analysis of the script reveals that the variable “Fygo” contains the final version of the second stage of PowerShell payload, which was executed via the ‘eval’ JavaScript function.

eval () has the capabilities to parse and execute code stored in a previously defined string. The eval function is commonly exploited for malicious purposes because it doesn't distinguish between JavaScript expressions, variables, statements, or sequences of statements, allowing it to execute any code passed to it with the sender's privileges.

After extracting the strings from the file and conducting a thorough analysis, starting with the eval() function used to execute code within the file, the following segments could be identified:

Hex payload.

66S75h6er63C74i69K6fj6eA20N58Q5aE75W42l6cV6fH28r50p63U

Assigns the entire HTML content of the document (including the <html> element) to the variable XZuBlo.

Extracts a substring from the variable XZuBlo, starting at index 27 and ending at index 51708, and assigns it to the variable Fygo.

This string represents the hex-encoded payload extracted from the beginning of the file using document.documentElement.outerHTML, which starts with <html><head></head><body> Consequently, the substring command is applied starting from the 27th character.

Decodes a hex-encoded string by replacing every pair of hex digits with the corresponding character, then executes the resulting code.

Then, after cleaning the code from unnecessary fragments, the result was obtained.

This final, slightly modified form of the script decodes the hex-encoded string stored in Fygo by replacing each pair of hex digits with the corresponding character, then opens a new browser window, and writes the decoded content into that window. 

After saving the file with the .HTA extension and running it using mshta.exe, the following result was obtained:

The script defines a function XZuBlo that decodes a sequence of numbers by subtracting 411 from each value, converting it to a character, and appending it to a string. It then uses this function to decode two sequences of numbers, storing the results in Fygo and aJTj. The script proceeds by creating an ActiveXObject using the decoded value of aJTj and runs the decoded script Fygo through it.

For decoding purposes, XZuBlo.Run(Fygo, 0, true) was replaced with console.log("Final Payload", Fygo) and executed in the browser console. This resulted in the output of the final PowerShell payload.

Stage 2 - Execution of the obfuscated Powershell 

The observed command line is as follows: 

At first glance, we observed a long hexadecimal string along an additional parameter ([Security.Cryptography.Aes]::Create()).CreateDecryptor((LDTn('49434457727243754F7361764B4D4679')), [byte[]]::new(16)).TransformFinalBlock($CeoGk, 0, $CeoGk.Length)

This indicates that the hexadecimal value is not in plaintext but instead encrypted using AES encryption. 

The decryption key is hardcoded as 49434457727243754F7361764B4D4679 (), and a 16 byte block of empty slots ([byte[]]::new(16)) is created to serve as the Initialization Vector (IV), a crucial component for the AES encryption/decryption process. 

DECRYPTION WITH CYBERCHEF

The Cyberchef tool can be used to decode the first layer encryption. From the obtained key, hex string and a hint from the Initialization Vector (IV) being set to 16 byte block of empty slots which means any number consisting of 32 values, we will be able to revert the first layer on a plain text. 

Output

From the initial decoded plaintext string, our analysis revealed an obfuscated command containing a redirection to a specific URL (https://sakura[.]holistic[-]haven[.]shop/singl6).

By looking it up on VirusTotal, we were able to successfully retrieve the content hosted in that URL. 

Source: VirusTotal. (n.d.). VirusTotal. https://www.virustotal.com/gui/file/06f848f9c41bfb87ff6a8349180947d19edd0893f2791040bc3018355e862ea1/content

The initial observations appeared to consist of variables being computed through nested mathematical operations, indicating a layered obfuscation mechanism. This structure can be represented as a  “matryokshka” doll, a metaphorical representation of the multiple layers of obfuscation within the code waiting to be deobfuscated to uncover the next layer and ultimately determine the true nature of the malware. 

Stage 3 - Payload 

In the analyzed phase 3, the most important thing is the end of the file. Large array $dsahg78das with bytes and function fdsjnh.

The code of the function fdsjnh performs several operations to decode and process data:

1. It creates a new array list $arrMath and fills it with characters from the $dsahg78das array.
2. It then combines these characters into a single string $z.
3. The string $z is decoded from Base64, and then converted to a byte array.
4. The byte array is XOR-decoded using a key derived from $gdfsodsao.
5. Finally, the function returns the decoded string $xordData.

After defining the function, the second part of the code executes it dynamically. It calls the method $jMdONfJV from a type $yWxOpbM, passing the result of fdsjnh as a parameter. Then it invokes a method $YjMNzUFLdZVJ() on the decoded data.

To clearly see what this code actually does, the most important thing is to define the variables $gdfsodsao and $dsahg78das with proper values and execute the fdsjnh function.

Variable $gdfsodsao is highly obfuscated however with simple code we can deobfuscate them:

Command to fully deobfuscate variable:

Formatted version of $gdfsodsao  with proper  variables 

The $gdfsodsao variable serves as a key for XOR operations within the fdsjnh function. Although it is initialized with obfuscated AMSI  (Antimalware Scan Interface) bypass logic, this logic is never executed because the variable's value is treated as a string rather than being run as code.

With all necessary variables available and the function returning the value $xordData, the code can be modified to display that value.

Output:

Stage 4 - Memory Injection 

This script scans the process memory of the current PowerShell session to locate and replace specific patterns in memory. It defines custom data structures and imports Windows API functions using dynamic assembly creation. The code searches for a signature ("AmsiScanBuffer") in memory regions associated with clr.dll, modifies their memory protection to make them writable if necessary, and then overwrites the pattern with a null byte array. This effectively bypasses AMSI, allowing the execution of potentially malicious scripts without being flagged. Finally, it loads and executes a Base64-encoded .NET assembly embedded in the script.

To be precise, the base64 fragment contains code fragments related to various things, such as:the name of the executable; for example, singl6.exe (number depends on malware version).

Names of the functions that suggest interaction with user passwords:
get_Password

Names of the functions indicating potential further communication:

Encryption and enumeration 

The presence of methods related to passwords and encryption implies that the malware could be involved in stealing sensitive information, such as user credentials or encryption keys. The proxy-related functions suggest the malware may also establish communication channels, potentially allowing the attacker to remotely control the system, exfiltrate data, or carry out additional attacks. 

The primary insights from this analysis focus on the sophisticated techniques used by the threat actors to infiltrate and execute malicious code on the user's machine. First, the attackers exploit the legitimate Windows process mshta.exe to execute the code, taking advantage of the fact that this process can be overlooked by security measures. They then employ various obfuscation methods to conceal their payloads, making them difficult to detect and analyze. These obfuscation techniques include encoding the payloads in HEX, utilizing complex JavaScript structures, encryption, the use of convoluted names, redundancy in variables and functions, and more. Lastly, the malware takes the additional step of loading its malicious code directly into memory, bypassing traditional file-based security checks and allowing the attack to remain undetected by some security systems.

Darknet Activity Overview

In this section, we examine the darknet activities of the LummaStealer operators and explore their newly devised methods for monetizing stolen data. By establishing an internal marketplace on Telegram, they enable direct transactions for compromised information - complete with a rating system, advanced search capabilities, and flexible pricing. 

LummaStealer has been active on the market for two years, marking each anniversary with celebrations on the darknet. These events are used to showcase new features and build community engagement within cybercriminal circles.

LummaStealer celebrating two years of operation

In recent months, LummaStealer has been actively targeting various sectors through sophisticated campaigns:

• June 2024: The Chilean National Computer Security Incident Response Team (CSIRT) reported a significant increase in LummaStealer distribution. The malware was disseminated via phishing emails, deceptive websites, and "clickfix" techniques, where users were tricked into executing malicious commands, leading to the theft of personal and financial information.
• October 2024: The Cyber Express highlighted a campaign where LummaStealer, in conjunction with the Amadey Bot, specifically targeted the manufacturing industry. Attackers employed phishing emails and malicious downloads to infiltrate systems, aiming to exfiltrate sensitive data and compromise network security within the sector.

These incidents underscore LummaStealer's evolving tactics and its persistent threat across different industries.

Darknet Operation

Advertisement on one of the darknet forums

As a MaaS, LummaStealer offers three main subscription tiers - Experienced, Professional, and Corporate - each with a distinct set of features, customization options, and tools for managing malware campaigns:

Experienced

• Create up to 3 filters and 3 build tags
• Bulk download of logs and search by custom queries
• Sorting by various parameters (e.g., country, wallets)
• Cleanup empty logs and view stats for “dummy” entries
• Limited Telegram notifications (1 channel or bot)

• Includes all Experienced features plus:
• Unlimited filters, mass log deletion, and log-sharing options
• Advanced widgets for log quality and filtering
• Unlimited build tags and extended search/export of logs
• Monitor neighbors in logs and assess log quality
• Create and edit grabber profiles (add/remove browsers, set file paths, apply masks/variables, etc.)
• Hot editing of profiles during campaigns
• Non-resident loader, reverse proxy, and Google Account cookie recovery

Corporate

• Everything from Professional, plus:
• Dedicated build cleaning line (reduced detection rate)
• Add/remove extensions in the file grabber config
• HeavensGate implementation and LNK builder
• Early access to new features before they roll out to lower tiers
• Builds are randomly generated for each user, due to the integrated morphing module

Given the features mentioned, we can assume that the new variant described earlier in the article belongs to either the “Professional” or “Corporate” subscription tier, given its support for non-resident loaders.

We analyzed the monthly frequency of updates for LummaStealer based on forum posts detailing its changelogs. The table below illustrates the number of updates released each month since its launch, providing insights into development trends and shifts in focus over time.

LummaStealer changelog analysis

Launched in December 2022, LummaStealer initially focused on building momentum through a marketing campaign on forums (Dec 2022 – Jun 2023). This period saw active development and the addition of new features. However, after the log market was opened (Aug 2024), development efforts slowed down significantly as focus shifted toward monetization. The sharp drop in updates during September and October 2024 could reflect seasonal trends, possibly related to students returning to school or other external factors.

Monetization without intermediaries

The operators of LummaStealer run an internal marketplace on Telegram, accessible via an automated bot called @lu*********bot, where thousands of logs are bought and sold daily. They also include features like a rating system to encourage quality sellers, advanced search options for both passwords and cookies, and a wide price range. Coupled with 24/7 support, the marketplace aims to provide a seamless experience for anyone trading stolen data, reflecting a trend seen across various Telegram and darknet-based stealer communities.

[img]

Lumma Market logo

Telegram bot automation

The extent of the marketplace, launched on August 2, 2024, demonstrates why it has rapidly gained popularity within cybercriminal circles compared to alternatives like Vidar Stealer and others. Built directly into Telegram and powered by an automated bot, the platform simplifies log trading while maintaining the privacy and anonymity demanded in such illicit dealings.

[img]

LummaMarket UI on the malware control panel

One of the key aspects contributing to its success is the detailed presentation of each lot, which provides clear and concise information for potential buyers. Each listing includes key details such as the number of passwords and cookies, relevant applications (e.g., Azure, Discord), and the presence or absence of wallets and filters. 

This transparency allows buyers to quickly assess the value of a log before making a purchase.

Lot information on the Telegram market bot

The advanced search and filtering capabilities further enhance the marketplace’s user-friendliness. Buyers can narrow down their searches using specific criteria, such as the presence of passwords, cookies, or a combination of both. Filters by the number of cookies, geographic location, and price also enable efficient targeting of logs that meet the buyer’s specific needs. This level of precision not only speeds up the buying process but also highlights the marketplace's sophisticated functionality compared to competitors.

Search and filter capabilities of the bot

Another key feature is the seller rating system, which incentivizes high-quality offerings and fosters a sense of trust within the darknet community. Each seller is assigned a storefront number, and their ratings are prominently displayed. Buyers can view the likes and reputation of a seller directly through the interface, enabling informed decisions and mitigating the risks associated with poor-quality data. This system closely mirrors legitimate e-commerce platforms, which likely contributes to its popularity among users.

Rating system via “Likes” counter

Pricing flexibility is another factor that sets the LummaC2 marketplace apart. Sellers are free to set their own prices, with logs ranging from as little as $0.10 to $1,000, depending on their perceived value. This wide range accommodates both low-budget buyers and sophisticated cybercriminals seeking premium data.

Data Buyer Profile

The marketplace also boasts a seamless financial ecosystem, supporting deposits via Bitcoin and Ethereum with a minimum amount of $50. These cryptocurrencies ensure anonymity while providing a simple way for users to manage their balances. Sellers, on the other hand, receive 70% of each sale, with the remaining 30% retained as a platform fee.

Cryptocurrency withdrawal UI

Public documentation

In addition to these features, the LummaStealer ecosystem is supported by openly available documentation hosted on GitBook. This documentation includes detailed guides on configuring and using LummaStealer effectively, with clear instructions tailored for both experienced users and beginners. Additionally, an alternative platform on Telegram provides further insights, emphasizing the accessibility of this malware-as-a-service platform even to less skilled operators. 

Official documentation of the LummaStealer MaaS

For instance, the GitBook documentation outlines practical examples of setting up campaigns, managing logs, and optimizing configurations, thus lowering the barrier to entry for aspiring cybercriminals. This documentation provides step-by-step guides for users and sellers alike, detailing the marketplace's usage, rules, and processes. The transparency and accessibility of this documentation further enhances the marketplace's usability, allowing even less experienced users (so-called “script-kiddies”) to navigate its features with ease.

The combination of detailed lot descriptions, advanced search options, a transparent rating system, flexible pricing and detailed documentation creates an efficient and user-friendly environment for trading logs containing stolen user data. These features, coupled with the accessibility of Telegram as a platform, likely explain the growing popularity of LummaC2 over other competitors in the stealer ecosystem. Its focus on simplicity, usability, and community-driven trust mechanisms demonstrates a trend toward the professionalization of illicit marketplaces, further blurring the lines between legitimate and criminal operations.

IOCs

Cybereason shared a list of indicators of compromise related to this research :

Cybereason Recommendations:

 It is crucial to implement strategic measures to mitigate risks when facing threats such as the LummaStealer. The following strategical steps would be beneficial in order to contain and eradicate the incident as soon as possible: 

• ISOLATE THE INFECTED MACHINE: Immediately disconnect the compromised device from the network to prevent any propagation/lateral movement and further cause to data exfiltration. 
• LOCK ACTIVE USER SESSIONS: Close all active sessions on the affected user to limit the attacker’s access. 
• BLOCK ALL USER ACCOUNTS ON THE MACHINE: Since credential dumping scripts like mimikatz have been observed, it is crucial to disable all user accounts present on the compromised endpoint to restrict unauthorized access. 
• REIMAGE THE INFECTED MACHINE: Restore the system by re-imaging the device to remove fully all malicious artifacts. 
• RESET USER CREDENTIALS: Ensure all credentials related to the compromised machine including accounts, browser stored passwords, crypto wallets or any sensitive related information stored on the device are reset. Additionally apply 2FA to where possible. 
• BLOCK IOCs: Ensure to block domains/IP addresses observed during the incident from your organizational firewall/proxy/ email gateway. 
• EDUCATE USERS: As usual the initial access can’t be done without human interaction. Educate users to identify and avoid suspicious CAPTCHA prompts on untrusted sites and to detect the phishing emails.

ABOUT THE RESEARCHERs

Evgeny Ananin, Threat Intelligence Analyst, Cybereason

Evgeny is a Threat Intelligence Analyst on the Cybereason Threat Intelligence Team, leveraging Red Teaming expertise and OSINT to investigate adversarial infrastructure and Darknet activities. He previously contributed to advanced malware research and penetration testing.

Jun Kitajima, GSOC Analyst, Cybereason

Jun is a cybersecurity analyst in the EMEA GSOC department at Cybereason, specializing in threat detection and response , with hands-on expertise in malware analysis and incident handling. 

Patryk Kowalik, GSOC Analyst, Cybereason

Patryk is a GSOC Analyst with the Cybereason Global SOC team. He is involved in MalOp Investigation and Threat Hunting. He is deeply interested in threat intelligence, malware reverse engineering, and penetration testing. He holds a Master’s degree in Cybersecurity from the Wrocław University of Science and Technology.

Elena Odier, Threat Hunter, Cybereason

Elena Odier is a Security Analyst with the Cybereason Global SOC team. She is involved in MalOp Investigation, escalations and Threat Hunting. Previously, Elena worked in incident response at ANSSI (French National Agency for the Security of Information Systems). 

Mikolaj Pulit, GSOC Analyst, Cybereason

Mikolaj is a GSOC Analyst in the EMEA Global SOC team. He primarily works in MalOp investigations, static/dynamic malware analysis, and handling escalations. Additionally, he has an interest in Capture The Flag (CTF) activities.

Mark Tsipershtein, Security Researcher, Cybereason

Mark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on research, analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security research.