Full Report
The vacuum left by RedLine’s takedown will likely lead to a bump in the activity of other a infostealers
Analysis Summary
# Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is an information-stealing malware that has seen a significant surge in detections. It is primarily used by cybercriminals to harvest sensitive data from infected systems. ESET reported a 369% increase in detections during the second half of 2024.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Inferred, typical for this class of malware)
- Capabilities: Steals user credentials, cryptocurrency wallet data, and targets 2FA browser extensions.
- First Seen: 2022
## MITRE ATT&CK Mapping
*(Note: Based on general infostealer behavior, specific TTPs would require deeper analysis of the malware's execution chain.)*
- TA0001 - Initial Access
- TA0005 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- TA0011 - Command and Control
Functionality
### Core Capabilities
- Harvesting of user credentials stored in web browsers.
- Theft of data associated with cryptocurrency wallets.
- Targeting of two-factor authentication (2FA) browser extensions, likely to bypass MFA protections.
### Advanced Features
- The rapid growth in detections suggests effective distribution mechanisms and strong appeal to the cybercriminal underground.
- It has successfully displaced previously dominant infostealers like Agent Tesla to become one of the top threats detected by ESET products in H2 2024.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not provided in the context]
- Network Indicators: [Not provided in the context; expected to include C2 communication channels]
- Behavioral Indicators: Attempts to access browser databases, wallet files, and inject into extension processes.
## Associated Threat Actors
- Cybercriminals seeking broad data theft capabilities (Specific groups were not named in the provided snippet, only "cybercriminals").
## Detection Methods
- Signature-based detection: Detection via updated antivirus/endpoint protection signatures.
- Behavioral detection: Monitoring for access patterns related to credential stores, wallet configurations, and 2FA extension files.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Employ comprehensive endpoint detection and response (EDR) solutions capable of detecting malicious file access patterns.
- Ensure timely patching of operating systems and applications to prevent initial access vectors used to deploy the stealer.
- Implement robust application allow-listing policies, especially concerning data access by non-standard processes.
- Educate users on the risks associated with weak credentials and the importance of hardware-based or robust 2FA methods that are less susceptible to browser extension theft.
## Related Tools/Techniques
- Agent Tesla (Previously dominant infostealer)
- Formbook (Mentioned as another infostealer)