Lumma Stealer Configuration

Jane0sint · June 22, 2023, 10:22pm

Hey, I recently noticed the activity of the stealer to load the configuration.
0x20 bytes xor key
AC B7 67 69 C8 D3 1A 3A E9 C4 FB 55 87 6D 49 D9 B7 73 94 69 ED E1 DE A0 0A 51 0E 4F FF CA C5 A9
The analysis was carried out by an analyst from any.run in the sandbox at the following link:

For better coverage, I would like to share the following rule:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt";flow: established, to_server; http.method; content: "POST"; http.uri; content: "/c2conf"; isdataat: !1, relative; http.request_body; content: "lid="; depth: 4;content: "&ver="; distance: 0; isdataat: !5, relative; classtype: command-and-control; reference:md5,9153ac5b623681a7fa845cb4e4f59209; reference:url,app.any.run/tasks/bd11c4e0-0942-4880-bc43-03a6440d25d5; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family lumma,  created_at 2023_06_21; sid: 8000476; rev: 1;)

Best regards, Jane <3

ishaughnessy · June 23, 2023, 4:18pm

Thanks @Jane0sint! We’ll get this in today’s release

ishaughnessy · June 23, 2023, 9:22pm

 2046637 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt

Jane0sint · September 15, 2023, 12:58am

Hi, we have updated Lumma http post and wrote new rules

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In";flow: established, to_server; http.method;content: "POST"; http.request_body;content: "act="; depth: 4;content: "&lid="; distance: 0;content: "&j="; distance: 0;content: "&ver="; distance: 0; isdataat: !5, relative; classtype: command-and-control;  reference: md5,884478741e7046e6d0788b63c09df89f;  reference: url, app.any.run/tasks/409f5138-3853-4910-80d4-3c380b969274; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lumma,  created_at 2023_09_15; sid: 1; rev: 1;)

This is the general rule for check-in. Now I’ll write for exfiltration

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration";flow: established, to_server; http.method;content: "POST"; http.request_body;content: "Content-Disposition: form-data|3b 20|name=|22|act|22 0d 0a 0d 0a|send_message|0d 0a|--"; content: "Content-Disposition: form-data|3b 20|name=|22|hwid|22 0d 0a 0d 0a|"; content: "Content-Disposition: form-data|3b 20|name=|22|lid|22 0d 0a 0d 0a|"; content: "Content-Disposition: form-data|3b 20|name=|22|file|22 3b|"; threshold:type limit, seconds 30, count 1, track by_dst; classtype: command-and-control;reference: md5,884478741e7046e6d0788b63c09df89f;reference: url,app.any.run/tasks/409f5138-3853-4910-80d4-3c380b969274;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lumma,  created_at 2023_09_15;sid: 2; rev: 1;)

I didn’t write any extra rules, We’ll keep an eye on further changes. Thanks @g0njxa!
Best regards, Jane

Jane0sint · September 15, 2023, 1:19am

Is it okay that I didn’t start a new topic? @ishaughnessy

ishaughnessy · September 15, 2023, 2:56pm

yep, no problem! I’m taking a look now

ishaughnessy · September 15, 2023, 9:55pm

Here are the sids for these, have a great weekend!

2048093 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
2048094 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

g0njxa · December 24, 2023, 11:38am

Lumma Stealer now implements SSL certificates to exfill over HTTPS.

Some recent example
Analysis https://cli.re/E81zVk Malicious activity - Interactive analysis ANY.RUN

Currently no detection… Time to write new rules, happy Xmas!

jtaylor · December 26, 2023, 12:59pm

Thanks! We will see about getting something out today on this.

JT

jtaylor · December 26, 2023, 10:10pm

The decrypted traffic for the sample you shared and some others we found still hit on existing Lumma sigs, one was a ET PRO sig that we moved to the Open set today.

2049836 - ET MALWARE Lumma Stealer Related Activity (previously 2855505)

The following are the new sigs that went out based on the sample you shared and others that were found poking arounnd.

2049838 - ET MALWARE Observed Lumma Stealer Related Domain (agedelayglacierwe .pw in TLS SNI)
2049839 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (agedelayglacierwe .pw)
2049842 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (chincenterblandwka .pw)
2049843 - ET MALWARE Observed Lumma Stealer Related Domain (chincenterblandwka .pw in TLS SNI)
2049844 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (neighborhoodfeelsa .fun)
2049845 - ET MALWARE Observed Lumma Stealer Related Domain (neighborhoodfeelsa .fun in TLS SNI)

We also added INFO sigs for the URI shortening service from the run you shared.

2049840 - ET INFO URI Shortening Service Domain in DNS Lookup (cli .re)
2049841 - ET INFO Observed URI Shortening Service Domain (cli .re in TLS SNI)

Thanks again, much appreciated!

JT

Jane0sint · December 28, 2023, 7:15am

Hi, can I please add a link to this discussion to the rules 2046637 2048093 2048094?
Sorry I’ll have to send this message to all my threads
reference:url,community.emergingthreats.net/t/lumma-stealer-configuration/;

jtaylor · December 28, 2023, 7:35pm

These signature updates will go out today, thanks Jane!

JT

Topic		Replies	Views
Lumma Stealer Updates Rule Signatures	2	539	September 15, 2023
StealC Stealer Rule Signatures	11	826	December 28, 2023
ObserverStealer Rule Signatures	5	591	June 23, 2023
Gurcu stealer report outbound Rule Signatures	7	415	May 30, 2023
WhiteSnake Rule Signatures	4	330	June 17, 2024

Lumma Stealer Configuration

Related topics