Full Report
Bulletproof Malware
Analysis Summary
# Tool/Technique: Lumma Infostealer
## Overview
Lumma is an actively developing infostealer malware cluster whose operations are associated with malicious command and control (C2) infrastructure, sometimes linked to bulletproof hosting services referenced as "Prospero." The specific instance analyzed was being served from a range of IP addresses, often running Apache web servers.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Implied, as it is an infostealer targeting user data)
- Capabilities: Stealing information, utilizing compromised infrastructure for distribution.
- First Seen: Not explicitly stated, but noted as "going crazy lately" (Active in 2025).
## MITRE ATT&CK Mapping
*(Note: Specific TTPs are inferred based on the nature of an infostealer and its distribution method)*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Used for C2 communication, though not detailed here)
- **TA0002 - Execution**
- T1204 - User Execution (If distributed via phishing/malicious links)
## Functionality
### Core Capabilities
- Distribution via compromised or malicious infrastructure (IP addresses like 91.202.233.151).
- Hosting on web servers (Apache 2.4.52/2.4.53) under specific directories ("1337," "Update").
### Advanced Features
- Potential use of bulletproof hosting services (inferred from the mention of "Prospero").
- Resilience or evasion through usage of Cloudflare CDN for some distribution points.
## Indicators of Compromise
- File Hashes: `5021cc94accc930c25a56574dcf3ab56b9717e450d3712a424b27cab1eca1a9d`
- File Names: Not specified in the context provided.
- Registry Keys: Not specified in the context provided.
- Network Indicators:
- IP Address: `91[.]202[.]233[.]151` (Associated with initial discovery)
- IP Address: `185[.]99[.]135[.]162`
- IP Address: `85[.]31[.]47[.]154`
- IP Address: `87[.]121[.]86[.]16`
- IP Address: `185[.]196[.]9[.]251`
- IP Address: `85[.]217[.]144[.]194`
- IP Address: `84[.]32[.]190[.]45`
- IP Address: `95[.]214[.]24[.]244` (Running Apache/2.4.53)
- IP Address: `188[.]114[.]97[.]3` (Behind Cloudflare)
- IP Address: `172[.]67[.]171[.]88` (Behind Cloudflare)
- Behavioral Indicators: Accessing directories named "1337" and "Update" on web servers hosting the payload.
## Associated Threat Actors
- Threat actors utilizing the Lumma infostealer cluster (Specific group name not provided, but linked to infrastructure monitored by KrebsOnline/Prospero sphere).
## Detection Methods
- Signature-based detection (Using the provided hash).
- Network IOC monitoring for connections to the listed IP addresses.
- Web server monitoring for specific directory traversal (`/1337` / `/Update`).
## Mitigation Strategies
- Block known malicious C2 IP addresses at the network perimeter.
- Monitor for connection attempts to infrastructure identified as running Apache 2.4.52 or 2.4.53 associated with suspicious activity.
- Ensure prompt patching of Apache servers, especially those running older versions.
## Related Tools/Techniques
- Prospero (Bulletproof service provider mentioned in context).