Lumma Stealer Updates

Lumma Stealer announced an update at September 14th, announcing a new exfiltration method on its builds.

Endpoints /c2sock and /c2conf were changed by POST request to a common endpoint for both purposes, /api via form parameters.

rule detection is currently 0, altough lumma builds are attempting to bypass sandbox analysis. I believe new rules has to be written in order to keep track on this major threat.

Failed detonation (Detection by memory dumps)
Analysis Malicious activity - Interactive analysis ANY.RUN

PCAP extracted from Triage | Malware sandboxing report by Hatching Triage

Thanks in advance


Thanks @g0njxa - I took a look this morning and @Jane0sint ‘s new sigs will catch the new exfiltration method. I’ll get those in today’ release :cowboy_hat_face:

Here are the signature ID’s:

2048093 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In 
2048094 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration