Full Report
Uncovering Shared Malware Infrastructure
Analysis Summary
# Tool/Technique: Lumma Infostealer
## Overview
Lumma is a potent information-stealing malware known for being distributed through social media channels like Telegram, often disguised as legitimate or cracked software (e.g., CCleaner 2024). Its primary goal is to steal sensitive user credentials from infected devices.
## Technical Details
- Type: Malware family
- Platform: Windows (Implied by EXE format and typical infostealer targets)
- Capabilities: Credential theft, persistence establishment.
- First Seen: Not explicitly stated in the text, but referenced as "well known."
## MITRE ATT&CK Mapping
*Note: Specific techniques are inferred based on stated capabilities (Credential Theft, Persistence).*
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Implied by checking for startup setting)
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores (Implied by "stealing sensitive user credentials")
## Functionality
### Core Capabilities
- Stealing sensitive user credentials stored on infected devices.
- Ensuring persistence by checking if the malware is set to run at system startup.
### Advanced Features
- Distribution relies on social engineering, masquerading as legitimate software or cracked applications.
- Sample found was observed as a crypted `.exe`.
## Indicators of Compromise
- File Hashes: SHA256: `50828bab09602ff91a8fcb4c8ded23a2331472e62b32edc8f54b68c5ae91f40e`
- File Names: `crypted_LummaC2.exe` (Example)
- Registry Keys: Not explicitly listed.
- Network Indicators:
- C2 Host: `wdfiles[.]ru` (for hosting the initial sample)
- Communicating Domains: `preside-comforter[.]sbs`, `savvy-steereo[.]sbs`, `copper-replace[.]sbs`, `record-envyp[.]sbs`, `slam-whipp[.]sbs`, `wrench-creter[.]sbs`, `looky-marked[.]sbs`, `plastic-mitten[.]sbs`, `lumhiddenforest[.]shop/api`, `marshal-zhukov[.]com`
- Behavioral Indicators: Attempts to establish persistence via system startup checks.
## Associated Threat Actors
- Not explicitly named, but utilizes common distribution channels (Telegram).
## Detection Methods
- Signature-based detection against the provided file hash.
- Behavioral detection focusing on startup location modifications.
## Mitigation Strategies
- Exercise caution when downloading software from unofficial channels (Telegram).
- Ensure endpoint security solutions are updated to detect known infostealer binaries.
## Related Tools/Techniques
- Amadey Malware (Observed sharing C2 infrastructure).
***
# Tool/Technique: Amadey Malware
## Overview
Amadey is a multifunctional malware capable of remote access, keylogging, credential theft, and cryptocurrency mining. Recent deployments have utilized malicious CAPTCHAs and phishing emails targeting finance and government sectors, particularly in Latin America.
## Technical Details
- Type: Malware family
- Platform: Windows (Implied by associated URLs and context)
- Capabilities: Remote access, keylogging, credential theft, cryptocurrency mining, and acting as a loader/distributor for other malware.
- First Seen: Not explicitly stated, but described as being recently reported in phishing campaigns.
## MITRE ATT&CK Mapping
*Note: Mappings cover the broad stated capabilities.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- TA0005 - Defense Evasion
- TA0009 - Collection (Keylogging, Credential Theft)
- TA0010 - Exfiltration
## Functionality
### Core Capabilities
- Remote access capability.
- Keylogging.
- Credential theft.
- Cryptocurrency mining.
### Advanced Features
- Used in multi-stage attack chains, communicating with C2 infrastructure that also distributes other infostealers based on victim OS/versions.
- Can download/execute secondary payloads from specific URLs (e.g., `http://185.215.113[.]16/mine/random.exe`).
- Leverages shared infrastructure, including C2 domains also used by Lumma.
## Indicators of Compromise
- File Hashes: SHA256: `373ffb138b7376264a307837ef5bd51bd02380376f9fdd27350cf1b65a28bcbb`
- File Names: `random.exe` (Example)
- Registry Keys: Not explicitly listed.
- Network Indicators:
- Initial observed distribution IP/URL: `http://185.215.113[.]16/mine/random.exe`
- Shared C2 Domains/IPs with Lumma samples: `preside-comforter[.]sbs`, `savvy-steereo[.]sbs`, etc.
- Additional IPs observed: `185.215.113[.]43`, `185.215.113[.]202`, `185.215.113[.]206`, `185.156.72[.]65`, `185.199.111[.]133`, `31.57.135[.]113`, `31.41.244[.]11`, `20.233.83[.]145`, `34.118.84[.]150`, `18.213.123[.]165`, `104.21.16[.]9`
- Specific C2/Distribution Endpoints: `http://185.215.113[.]43/Zu7JuNko/index.php`, endpoints on `185.215.113[.]206` (e.g., `/c4becf79229cb002.php/`).
- Behavioral Indicators: Connections to domains shared with Lumma infrastructure; downloading secondary payloads from IP ranges like `185.215.113[*]`.
## Associated Threat Actors
- Not explicitly named, but active in phishing campaigns targeting finance and government in Latin America.
## Detection Methods
- Signature-based detection on the unique SHA256 hash.
- Network monitoring for connections to the listed C2 IPs/domains.
## Mitigation Strategies
- Implement network filtering for the identified C2 infrastructure.
- Deploy application control or endpoint detection to monitor for the execution of keylogging or mining activity.
## Related Tools/Techniques
- Lumma Infostealer (Shares significant C2 infrastructure).
***
# Technique: Shared Malware Infrastructure Discovery via SSH Fingerprint
## Overview
This technique involves pivoting from observed malware activity (Amadey sandbox analysis) to uncover hidden Command and Control (C2) infrastructure that was not initially flagged in standard sandbox reports. This was achieved by correlating an SSH key fingerprint found on an observed C2/distribution server with other external sources.
## Technical Details
- Type: Technique/Procedure
- Platform: Multi-platform infrastructure (Linux/SSH servers hosting C2/distribution layers)
- Capabilities: Infrastructure mapping, uncovering previously unknown attacker assets, multi-tiered infrastructure identification.
- First Seen: N/A (Specific actionable pivot observed in this investigation)
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1584.006 - C2 Infrastructure: Cloud Services (If cloud hosted)
- TA0010 - Exfiltration (Indirectly aids C2)
## Functionality
### Core Capabilities
- Identifying C2/distribution servers hosting various infostealers.
- Discovering additional C2 servers that were not reported by initial sandbox analysis.
### Advanced Features
- Using unique server artifacts (SSH key fingerprint: `e7c420a6cdcff65864fe44d2f524c79da82d68fa40c3e72ef4d555bd911231b6`) to pivot and map out the full operational footprint of the adversary.
- Establishing a hypothesis of tiered infrastructure: distribution servers hosting multiple infostealers and C2 servers managing actions.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (This is the method used to find indicators)
- Behavioral Indicators: Correlation of SSH key fingerprints across different digital assets.
## Associated Threat Actors
- Unknown actors operating the shared infrastructure used by Lumma and Amadey operators.
## Detection Methods
- Advanced threat hunting focusing on identifying infrastructure overlaps across different malware samples.
- Analyzing unique server artifacts (like SSH fingerprints) discovered during incident response for broader attribution/mapping.
## Mitigation Strategies
- Monitor for connections to unusual distribution servers (e.g., those hosting multiple types of malware).
- Internal security processes should include deeper forensic pivoting using unique server artifacts discovered during analysis.
## Related Tools/Techniques
- Multi-stage malware distribution (used by Amadey to deploy secondary payloads).
***
# Technique: Infrastructure for Malware Distribution and Deployment
## Overview
This describes the tiered network structure used to host and distribute malware, characterized by two main tiers: distribution servers hosting various infostealers that adapt payloads based on victim OS, and a higher tier of C2 servers managing the distribution logistics. Distribution sites frequently pull update/blacklist files from GitHub.
## Technical Details
- Type: Technique/Procedure
- Platform: Internet infrastructure (Web servers, GitHub repositories)
- Capabilities: Multi-payload hosting, OS-version dependent malware serving, use of public code repositories for evasion/updates.
- First Seen: N/A (Observed operational deployment methods)
## MITRE ATT&CK Mapping
- TA0010 - Command and Control
- T1105 - Ingress Tool Transfer (For retrieving blacklists/payloads)
## Functionality
### Core Capabilities
- Distribution servers host different malware/infostealers for delivery based on victim characteristics.
- Use of commonly available, trusted services (GitHub) to store configuration or blacklist files.
### Advanced Features
- Utilization of GitHub raw content hosting (e.g., `raw[.]githubusercontent[.]com`) to serve files like `gpu_list.txt`, `processes_list.txt`, and `MachineGuid.txt`, which are likely used for sandbox/VM evasion or victim selection criteria.
## Indicators of Compromise
- Network Indicators (Associated with these distribution/C2 activities):
- Domains utilizing a custom structure: `home[.]twentykx20pt[.]top`, `twentykx20pt[.]top`
- GitHub source URLs for configuration files (e.g., `raw[.]githubusercontent[.]com/6nz/virustotal-vm-blacklist/...`)
- Behavioral Indicators: Malware endpoints checking external URLs hosted on trusted platforms (GitHub) for blacklists prior to execution.
## Associated Threat Actors
- Actors controlling the Lumma/Amadey shared infrastructure.
## Detection Methods
- Monitoring for connections to the dedicated distribution domains (`twentykx20pt[.]top`).
- Detecting requests to `raw[.]githubusercontent[.]com` that retrieve files matching known blacklist or configuration patterns used by malware.
## Mitigation Strategies
- Block outbound connections to known suspicious domains used for secondary payload hosting.
- Endpoint security should monitor for unexpected file execution following HTTP downloads from GitHub raw content URLs.
## Related Tools/Techniques
- Use of GitHub as a data source/C2 infrastructure (T1105).