Lumma

Malware Profile Updated 7 days ago
Download STIX
Preview STIX
Lumma is a type of malware, specifically an information stealer, known for its sophisticated tactics in cyber threats, including the exploitation of the undocumented Google OAuth2 MultiLogin endpoint. In late November 2023, BleepingComputer reported on Lumma's ability to restore expired Google authentication cookies stolen in attacks. The malware was part of a new wave of cyber threats that also included other information stealers like Vidar, backdoors/downloaders such as Aresloader and Canyon, and malware acquired from FIN7 developers like Minodo and Diceloader. The attackers, tracked as GitCaught, used a GitHub profile to impersonate legitimate software applications, including 1Password, Bartender 5, and Pixelmator Pro, to distribute malware such as Atomic macOS Stealer (AMOS), Lumma, Octo, and Vidar. This campaign highlighted how attackers exploit trusted internet services to carry out cyberattacks that steal personal information. Further analysis revealed communications with a FileZilla server used as a dropper for infostealer variants like Lumma and Vidar, delivered through Python scripts and encrypted files with variable payloads. In earlier versions, Lumma retrieved the .ENC file and conducted multiple DNS lookups for domains previously associated with Lumma Stealer, resulting in Lumma and Vidar infostealers being dropped. A cybersecurity enthusiast identified Lumma as a "fork/refactor" of Mars. Infostealers like Vidar and Lumma are typically developed by one specific threat actor and then made public to the entire cybercrime community, following a model called malware-as-a-service (MaaS). Despite efforts to counteract these threats, the evolution of Lumma, especially its new anti-sandbox method, poses ongoing challenges to cybersecurity.
What's your take? (Question 1 of 5)
06cf4ccf-3014-4b7a-9a40-df528e4e2bae Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Lumma Stealer
8
Lumma Stealer is a malicious software, or malware, that targets computer systems with the intent to exploit and damage them. This malware primarily focuses on stealing cryptocurrency wallets and browser user data. The latest version of Lumma Stealer was detected in our recent investigation, revealin
Vidar
5
Vidar is a malware variant that first emerged in 2018 as a derivative of the Arkei malware. It is a Windows-based infostealer written in C++, and it has been used extensively by cybercriminals to steal sensitive information from compromised systems. Vidar, like other infostealers such as LummaC2, is
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Youtube
Infostealer
Phishing
Exploit
Google
Maas
Payload
Loader
Trojan
Cybercrime
Android
Dropper
Chrome
Fortiguard
Sandbox
Github
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RedlineUnspecified
3
RedLine is a notorious malware, discovered in March 2020, that has been used extensively by threat actors to export personal information such as credentials, cryptocurrency wallets, and financial data to its command-and-control infrastructure. The malware infiltrates systems via suspicious downloads
StealcUnspecified
2
Stealc is a malicious software, or malware, that specifically targets browser extensions and authenticators by password managers. It gained notoriety in the cybercrime world for its role in the attack on the Solana blockchain in 2023, which resulted in a $7 million heist. This particular malware was
AmosUnspecified
2
AMOS is a malicious software (malware) that has been specifically designed to target Mac systems, both Intel-based and ARM-based. It is capable of stealing passwords, personal files, and information from crypto wallets, posing a significant threat to user security. AMOS was first identified as part
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Lumma Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Trend Micro
7 months ago
Beware Lumma Stealer Distributed via Discord CDN
Malware-traffic-analysis.net
7 months ago
Malware-Traffic-Analysis.net - 2023-10-11 - Lumma Stealer infection
CERT-EU
5 months ago
Deceptive Cracked Software Spreads Lumma Variant on YouTube | FortiGuard Labs
Fortinet
5 months ago
Deceptive Cracked Software Spreads Lumma Variant on YouTube | FortiGuard Labs
CERT-EU
8 months ago
Kaspersky crimeware report: ASMCrypt, Lumma and Zanubis
CERT-EU
6 months ago
Lumma malware can allegedly restore expired Google auth cookies
CERT-EU
6 months ago
Lumma Stealer malware now uses trigonometry to evade detection
CERT-EU
5 months ago
YouTube Channels Hacked to Spread Lumma Stealer via Cracked Software | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
Defending Against Lumma Information Stealer Malware
DARKReading
5 months ago
Attackers Abuse Google OAuth Endpoint to Hijack User Sessions
DARKReading
5 months ago
Beware Weaponized YouTube Channels Spreading Lumma Stealer
Securelist
6 months ago
Kaspersky malware report for Q3 2023
CERT-EU
5 months ago
Malware Leveraging Google Cookie Exploit via OAuth2 Functionality
CERT-EU
5 months ago
YouTube Channels Hacked to Spread Lumma Stealer via Cracked Software
CERT-EU
5 months ago
Time to Guard : Protect Your Google Account from Advanced Malware
Malwarebytes
3 months ago
Vibrator virus steals your personal information | Malwarebytes
CERT-EU
8 months ago
Android Banking Trojan Zanubis Evolves to Target Peruvian Users
InfoSecurity-magazine
14 days ago
Russian Actors Weaponize Legitimate Services in Multi-Malware Attack
CERT-EU
5 months ago
Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts
InfoSecurity-magazine
2 months ago
Famous YouTube Channels Hacked to Distribute Infostealers