Lumma Stealer Updates

g0njxa · September 14, 2023, 10:24pm

Lumma Stealer announced an update at September 14th, announcing a new exfiltration method on its builds.

Endpoints /c2sock and /c2conf were changed by POST request to a common endpoint for both purposes, /api via form parameters.

rule detection is currently 0, altough lumma builds are attempting to bypass sandbox analysis. I believe new rules has to be written in order to keep track on this major threat.

Failed detonation (Detection by memory dumps)
Analysis https://randsoms.click Malicious activity - Interactive analysis ANY.RUN

PCAP extracted from Triage | Malware sandboxing report by Hatching Triage

Thanks in advance

Jane0sint · September 15, 2023, 5:22am

ishaughnessy · September 15, 2023, 3:35pm

Thanks @g0njxa - I took a look this morning and @Jane0sint ‘s new sigs will catch the new exfiltration method. I’ll get those in today’ release

Here are the signature ID’s:

2048093 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In 
2048094 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Topic		Replies	Views
Lumma Stealer Configuration Rule Signatures	11	761	December 28, 2023
Cryptbot Stealer - Update on Rules Rule Signatures	2	313	July 29, 2023
NStealer v2 Rule Signatures	3	387	September 25, 2023
ObserverStealer Rule Signatures	5	487	June 23, 2023
Kelios check in Rule Signatures	2	318	February 3, 2023

Lumma Stealer Updates

Related Topics