Full Report
In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by Senior Microsoft Security Researcher Kajhon Soyini to explore the Luma Stealer cryptocurrency mining campaign targeting individual computers as part of a large-scale malvertising campaign. They discuss the sophisticated attack chain, which includes DLLs, clipboard malware, process injection via Explorer.exe, and how this impacted nearly one million devices around the globe. Kajhon explains how attackers use registry modifications, WMI event consumers, and obfuscation techniques like non-standard ports and reverse shells to maintain persistence and evade detection. The duo also covers Microsoft's defense efforts and the challenges of tracking down the origins of these attacks.
Analysis Summary
# Tool/Technique: Luma Stealer
## Overview
Luma Stealer is a malware family identified as part of a large-scale malvertising campaign that primarily targets individual computers, often leading to cryptocurrency mining activity. The associated attack chain is sophisticated, involving multiple stages and advanced evasion techniques.
## Technical Details
- Type: Malware family
- Platform: Likely Windows (inferred from techniques like process injection into Explorer.exe, registry modifications, and WMI)
- Capabilities: Stealing information, establishing persistence, facilitating command and control (C2), and cryptocurrency mining.
- First Seen: Not explicitly mentioned in the context.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the described techniques.*
- TA0001 - Initial Access
- T1583 - Acquire Infrastructure (Malvertising likely involved)
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Implied by registry modification mention)
- T1546.012 - Event Triggered Execution: WMI Event Subscription (WMI Event Consumers)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implied by use of non-standard ports and obfuscation)
- T1055 - Process Injection (Process injection via Explorer.exe)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Implied by redirector networks/GitHub use)
## Functionality
### Core Capabilities
- **Payload Delivery:** Utilizes sophisticated chains involving DLLs and redirector networks, potentially leveraging GitHub repositories for hosting payloads.
- **Persistence Mechanisms:** Achieved via registry modifications (specifically mentioning "image file execution objects" registry path) and the use of WMI event consumers.
- **Infection Lifecycle:** Includes clipboard manipulation malware targeting cryptocurrency, executing code via process injection into `Explorer.exe`.
### Advanced Features
- **Evasion:** Employs obfuscation techniques, specifically using non-standard ports for communication.
- **C2 Infrastructure:** Leverages redirector networks and potentially external platforms like GitHub for command and control or retrieving further stages.
- **Legacy Integration:** The attack chain incorporates legacy malware elements, specifically mentioning the use of **NetSupport RAT**.
- **Co-infection/Overlap:** Exhibits overlap with the **Donarium** malware family.
- **Cryptocurrency Mining:** A primary objective of the compromise.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys:
- "image file execution objects" registry path (Specific key not detailed, but usage is confirmed)
- Network Indicators:
- C2 communication utilizing **non-standard ports**.
- Use of **GitHub repositories** for payload hosting.
- C2 role played by **Netcat** (implied usage for C2 communication/reverse shells).
- Behavioral Indicators:
- DLL execution leveraged in the attack chain.
- Clipboard malware activity (targeting crypto wallets).
- Process injection into `Explorer.exe`.
- Establishing persistence via WMI event consumers.
## Associated Threat Actors
- Threat actors behind the large-scale malvertising campaign utilizing Luma Stealer. (Specific named group not provided in the summary text, although Microsoft researchers are tracking them).
## Detection Methods
- Signature-based detection: Potential detection for known Luma Stealer binaries or signatures associated with NetSupport RAT components.
- Behavioral detection: Monitoring for unusual process injection attempts into `Explorer.exe`. Detecting the creation or modification of WMI event subscriptions for persistence. Detecting suspicious network traffic on non-standard ports linked to suspected C2 activity.
- YARA rules: [Not provided]
## Mitigation Strategies
- **Prevent:** Harden systems against malvertising vectors. Employ strict application control policies to limit the execution of unsigned or unverified DLLs.
- **Harden:** Regularly audit registry keys related to auto-execution, particularly "image file execution objects." Implement security solutions capable of detecting process injection techniques.
- **Network:** Monitor egress traffic for large data transfers or communication on non-standard ports that might indicate C2 callbacks or reverse shells.
## Related Tools/Techniques
- NetSupport RAT (Integrated into the attack chain)
- Donarium (Shared overlap with Luma Stealer)
- Netcat (Used for C2/Reverse Shell functionality)