Lumma Stealer

Malware updated 16 hours ago (2024-10-17T12:02:28.450Z)
Download STIX
Preview STIX
Lumma Stealer is a highly sophisticated malware variant known for its extensive data-harvesting capabilities. It is designed to steal sensitive information such as passwords, card details, cryptocurrency wallets, and browser session cookies from infected devices. Lumma Stealer employs a DLL side-loading technique for execution and is notoriously hard to detect. It specifically targets cryptocurrency wallets, two-factor authentication browser extensions, and other sensitive data on a victim's machine. The malware has been linked to the cybercriminal group FIN7, which also utilizes other malicious tools like the NetSupport remote access Trojan and Redline credential stealing malware. The delivery mechanism of Lumma Stealer involves a deceptive "trial download" prompt. Users are served a .zip file with a malicious payload when they agree to download the trial. This action leads to a Bitbucket repository containing a harmful archive. The downloaded archive includes an executable along with a legitimate Windows file, user32.dll. The executable serves as a dropper for Lumma Stealer. Once executed, Lumma Stealer infiltrates the system and begins its data harvesting operation. This malware has shown significant activity throughout 2024, with multiple instances of its Command and Control (C&C) server being identified in April, May, and June. However, the attempts to spread Lumma Stealer have not gone unnoticed. Cybersecurity firms like Silent Push and Bitdefender have analyzed and reported on its activities. Furthermore, CrowdStrike discovered that Lumma Stealer was being distributed using a Falcon Sensor Update phishing lure, demonstrating the evolving tactics used by its operators to infect more systems.
Description last updated: 2024-10-17T11:40:32.211Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Lumma is a possible alias for Lumma Stealer. Lumma is a sophisticated and stealthy malware, known for its extensive ability to harvest sensitive data from infected devices. It is primarily designed to steal passwords, card details, cryptocurrency wallets, and browser session cookies. The malware has evolved with new anti-sandbox methods, makin
11
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Youtube
Infostealer
Windows
Android
Downloader
Exploit
Bot
Trojan
Phishing
Credentials
Chrome
Rat
Vulnerability
Fortiguard
Telegram
Sandbox
Infostealer ...
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Redline Malware is associated with Lumma Stealer. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, RedLine can steal personal information, disrupt operations, or deliver further Unspecified
4
The Redline Stealer Malware is associated with Lumma Stealer. RedLine Stealer is a type of malware, or malicious software, that infiltrates computer systems with the intent to exploit and cause damage. It typically gains access through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside the system, it can steal personal iUnspecified
3
The Magecart Malware is associated with Lumma Stealer. Magecart is a form of malware that targets e-commerce platforms by injecting malicious code to steal customer data. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations and steal personal informatUnspecified
2
The Vidar Malware is associated with Lumma Stealer. Vidar is a malicious software (malware) that operates as an infostealer, primarily targeting Windows-based systems. It's written in C++ and is based on the Arkei stealer. Vidar is part of a broader landscape of malware threats such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo,Unspecified
2
The Rhadamanthys Malware is associated with Lumma Stealer. Rhadamanthys is a sophisticated malware that has been used by the threat actor TA547 to target German organizations. This malicious software, designed to exploit and damage computer systems, infiltrates devices through suspicious downloads, emails, or websites, often unbeknownst to the user. Once emUnspecified
2
The Mozi Malware is associated with Lumma Stealer. Mozi is a type of malware, a malicious software designed to exploit and damage computer systems and devices. It typically infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even Unspecified
2
The Netsupport Malware is associated with Lumma Stealer. NetSupport is a legitimate remote access software that has been exploited as a malware tool by various threat actors. It's often used in combination with other malicious software like BlackBasta Ransomware, IcedID, and occasionally Lumma Stealer, the most common infostealer in the world today. The mUnspecified
2
The Netsupport Rat Malware is associated with Lumma Stealer. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operationsUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The FIN7 Threat Actor is associated with Lumma Stealer. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
2
Source Document References
Information about the Lumma Stealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
14 days ago
BankInfoSecurity
14 days ago
InfoSecurity-magazine
15 days ago
InfoSecurity-magazine
22 days ago
Krebs on Security
a month ago
InfoSecurity-magazine
a month ago
CrowdStrike
2 months ago
DARKReading
3 months ago
DARKReading
3 months ago
DARKReading
3 months ago
DARKReading
3 months ago
ESET
3 months ago
Trend Micro
3 months ago
CrowdStrike
3 months ago
CrowdStrike
3 months ago
Checkpoint
3 months ago
Unit42
3 months ago
ESET
3 months ago
ESET
4 months ago
DARKReading
4 months ago