Full Report
C2, distribution & ASN clustering
Analysis Summary
# Threat Actor: Lumma Stealer Operators
## Attribution & Identity
The threat actor group responsible for deploying the Lumma malware is referred to as **Lumma**. The summary focuses on the infrastructure used by the operators of this malware. No specific nation-state or cybercriminal syndicate attribution is provided in the text, only the identification of the malware operator based on infrastructure analysis.
## Activity Summary
The article details the ongoing hunt and mapping of the current Command and Control (C2) and distribution infrastructure associated with the Lumma information stealer. Despite law enforcement efforts, the operators are actively generating new malware distribution points and C2 domains, exhibiting high resilience. The analysis centered around pivoting from an initial C2 domain (`nonsazv[.]qpon`) to map related infrastructure clusters.
## Tactics, Techniques & Procedures
- **Infrastructure Reuse/Clustering:** Operators rely heavily on concentrated hosting infrastructure for deploying resources, making clustering possible even with domain rotation.
- **Domain Generation:** Threat actors frequently generate multiple domains using similar naming conventions (e.g., variations incorporating `.qpon`).
- **Delivery Mechanism:** The infection chain starts with a malicious `.zip` file containing the Lumma malware, which subsequently communicates with C2 servers.
- **Pivoting Techniques:** The analysis utilized URLScan searches based on domain naming conventions (`*.qpon`) and ASN registration to discover related domains. Certificate fingerprint hashing (Used via Validin) served as a critical pivot point to uncover related hosts and domains associated with Lumma communications.
## Targeting
- **Sectors:** Not explicitly detailed, though Lumma is typically an information stealer targeting credentials, cryptocurrency wallets, and sensitive files.
- **Geography:** Not specified in the context of victims, but the infrastructure is hosted across various international providers (US-based, European ASNs).
- **Victims:** No specific victim organizations are named, but the activity implicitly targets individuals or organizations deploying systems vulnerable to credential theft via Lumma.
## Tools & Infrastructure
- **Malware Families Used:** Lumma (Information Stealer)
- **Infrastructure (C2, domains, IPs):**
- Initial Pivot Domain: `nonsazv[.]qpon`, `pictuqyr[.]qpon`, `pattemqr[.]qpon`, `apothfya[.]qpon`, `fruiunp[.]qpon`, `brunsmmv[.]qpon`, `bac-bank[.]qpon`
- Associated TLDs: `.top`, `.xyz`, `.qpon`, `.ru`
- **ASN Clusters Identified:**
- ASN 210644 (Aeza) - Known bulletproof hosting provider.
- ASN 8254 (ROUTE95 GREEN FLOID LLC) - Hosting many Lumma-flagged domains.
- ASN 48753 (Ava Host Srl)
- Routerhosting
- Proton66
- **IP Addresses:**
- `46.28.71.142` (Route95, ASN8254)
- `217.156.66.212` (Ava Host Srl, ASN48753)
- `172.86.89.51` (Used for certificate fingerprint pivoting)
## Implications
Lumma operators demonstrate operational persistence and effective infrastructure management, relying on rotating domains while maintaining continuity by recycling specific, resilient hosting providers (bulletproof/favorable ASNs like Aeza, Route95, Proton66, Routerhosting). This concentration of infrastructure provides high detection opportunities via ASN and TLS fingerprint monitoring, despite successful domain camouflage.
## Mitigations
- Focus detection efforts beyond individual domain names by clustering malicious infrastructure based on shared hosting providers (ASNs like Aeza, Route95, Proton66, Routerhosting).
- Implement monitoring for TLS certificate fingerprints associated with known Lumma C2 infrastructure to quickly identify newly deployed domains on the same hosts.
- Enhance network defenses to immediately block communications originating from the identified bulletproof hosting providers used by the actor.
- Ensure endpoint security detects the initial infection vector, specifically the malicious `.zip` file deployment chain.