CyberSecurity news

FlagThis - #LummaStealer

info@thehackernews.com (The@The Hacker News //
Cybersecurity researchers have uncovered a large-scale phishing campaign distributing the Lumma Stealer malware. Attackers are using fake CAPTCHA images embedded in PDF documents hosted on Webflow's content delivery network (CDN) to redirect victims to malicious websites. These malicious actors are employing SEO tactics to trick users into downloading the PDFs through search engine results, ultimately leading to the deployment of the information-stealing malware. The Lumma stealer is designed to steal sensitive information stored in browsers and cryptocurrency wallets.

Netskope Threat Labs identified 260 unique domains hosting 5,000 phishing PDF files, affecting over 1,150 organizations and 7,000 users. The attacks primarily target users in North America, Asia, and Southern Europe, impacting the technology, financial services, and manufacturing sectors. Besides Webflow, attackers are also utilizing GoDaddy, Strikingly, Wix, and Fastly to host the fake PDFs. Some PDF files were uploaded to legitimate online libraries like PDFCOFFEE and Internet Archive to further propagate the malware.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Infoblox Blog: DNS Early Detection – Fast Propagating Fake Captcha distributes LummaStealer
  • Talkback Resources: Fake CAPTCHA PDFs Spread Lumma Stealer via Webflow, GoDaddy, and Other Domains
  • The Hacker News: Fake CAPTCHA PDFs Spread Lumma Stealer via Webflow, GoDaddy, and Other Domains
  • gbhackers.com: Netskope Threat Labs uncovered a sprawling phishing operation involving 260 domains hosting approximately 5,000 malicious PDF files.
  • Talkback Resources: Sticky Werewolf Uses Undocumented Implant to Deploy Lumma Stealer in Russia and Belarus [mal]
  • gbhackers.com: Beware! Fake CAPTCHA Hidden LummaStealer Threat Installing Silently
  • Cyber Security News: Beware! Fake CAPTCHA Scam That Silently Installs LummaStealer
  • gbhackers.com: Lumma Stealer Using Fake Google Meet & Windows Update Sites to Launch “Click Fixâ€� Style Attack
Classification:
CISO2CISO Editor 2@ciso2ciso.com //
A new, sophisticated cyber campaign is utilizing GitHub's infrastructure to distribute the Lumma Stealer malware, a notorious data-stealing tool. This campaign doesn't only focus on Lumma Stealer, it also distributes other malicious software including SectopRAT, Vidar, and Cobeacon. Attackers are exploiting the platform's release mechanisms to gain initial access to systems and subsequently deploy these harmful payloads. This tactic has allowed the threat actors to leverage a trusted platform, tricking users into downloading files from malicious URLs, thereby increasing the risk of widespread infections.

Trend Micro researchers have analyzed the tactics, techniques and procedures (TTPs) used in this campaign and found significant similarities with those used by the Stargazer Goblin group, indicating a potential connection between the two. The Lumma Stealer malware is known for extracting credentials, cryptocurrency wallets, system details, and other sensitive files. SOC Prime Platform has released detection content aimed at helping security teams proactively identify and thwart related threats. This includes Sigma rules for Lumma Stealer, SectopRAT, Vidar, and Cobeacon detection, highlighting the ongoing efforts to counter this dangerous threat.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • ciso2ciso.com: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • SOC Prime Blog: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • Virus Bulletin: Trend Micro researchers dissect the tactics, techniques and procedures (TTPs) employed by a campaign distributing Lumma Stealer through GitHub.
  • ciso2ciso.com: Lumma Stealer Detection: Sophisticated Campaign Using GitHub Infrastructure to Spread SectopRAT, Vidar, Cobeacon, and Other Types of Malware – Source: socprime.com
  • www.trendmicro.com: Trend Micro : Trend Micro reports on a campaign distributing Lumma stealer through GitHub.
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer
Classification:
  • HashTags: #MalwareDistribution #GitHub #LummaStealer
  • Company: GitHub
  • Target: NULL
  • Attacker: Stargazer Goblin
  • Product: GitHub
  • Feature: release infrastructure
  • Malware: Lumma Stealer
  • Type: Malware
  • Severity: Major
@securityonline.info //
A new malware campaign is underway, distributing the Lumma Stealer information stealer via weaponized PDF documents. This campaign specifically targets educational institutions, exploiting compromised infrastructure to deliver malicious LNK files disguised as legitimate PDFs. These files, when executed, initiate a multi-stage infection process designed to steal sensitive data, including passwords, browser information, and cryptocurrency wallet details.

The attackers lure users into downloading these malicious files by disguising them as innocuous documents, such as school fee structures. Once executed, the LNK files trigger PowerShell commands that download and run obfuscated JavaScript code, ultimately deploying the Lumma Stealer payload. The malware employs advanced evasion techniques, including obfuscated JavaScript and encrypted payloads, to avoid detection.

This campaign highlights the urgent need for robust cybersecurity measures within educational institutions and other sectors. Lumma Stealer targets various industries beyond education, including finance, healthcare, technology, and media. The use of compromised educational infrastructure as a distribution channel underscores the vulnerabilities in organizational cybersecurity frameworks.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • gbhackers.com: Weaponized PDFs Deliver Lumma InfoStealer Targeting Educational Institutions
  • securityonline.info: Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
  • www.cloudsek.com: Lumma Stealer Chronicles: PDF-Themed Campaign Using Compromised Educational Institutions’ Infrastructure
  • gbhackers.com: Weaponized PDFs Deliver Lumma InfoStealer Targeting Educational Institutions
  • Talkback Resources: Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures [mal]
  • www.silentpush.com: Silent Push recently expanded our research on the “Lumma Stealerâ€� infostealer malware.
Classification:
  • HashTags: #Malware #InfoStealer #Education
  • Company: Educational Institutions
  • Target: Educational institutions
  • Product: PDF Documents
  • Feature: Malicious LNK files
  • Malware: Lumma Stealer
  • Type: Malware
  • Severity: Major