Lumma Stealer Updates

g0njxa · September 14, 2023, 10:24pm

Lumma Stealer announced an update at September 14th, announcing a new exfiltration method on its builds.

Endpoints /c2sock and /c2conf were changed by POST request to a common endpoint for both purposes, /api via form parameters.

rule detection is currently 0, altough lumma builds are attempting to bypass sandbox analysis. I believe new rules has to be written in order to keep track on this major threat.

Failed detonation (Detection by memory dumps)
Analysis https://randsoms.click Malicious activity - Interactive analysis ANY.RUN

PCAP extracted from Triage | Malware sandboxing report by Hatching Triage

Thanks in advance

Jane0sint · September 15, 2023, 5:22am

ishaughnessy · September 15, 2023, 3:35pm

Thanks @g0njxa - I took a look this morning and @Jane0sint ‘s new sigs will catch the new exfiltration method. I’ll get those in today’ release

Here are the signature ID’s:

2048093 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In 
2048094 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Topic		Replies	Views
Lumma Stealer Configuration Rule Signatures	11	909	December 28, 2023
Ruleset Update Summary - 2024/01/05 - v10500 Ruleset Updates	0	535	January 5, 2024
Ruleset Update Summary - 2024/03/13 - v10551 Ruleset Updates	0	329	March 13, 2024
Ruleset Update Summary - 2024/02/16 - v10534 Ruleset Updates	0	287	February 16, 2024
Ruleset Update Summary - 2024/02/09 - v10528 Ruleset Updates	0	521	February 9, 2024

Lumma Stealer Updates

Related topics