Threat hunting case study Lumma infostealer

Threat hunting case study: Lumma infostealer
Source: Intel471

Information stealers, or infostealers, are malware applications that hoover enormous amounts of information from machines including login credentials, cryptocurrency wallet data, personally identifiable information (PII), session tokens, multifactor authentication (MFA) tokens, etc. — any data stored in a browser can be collected. This malware is spread through phishing campaigns, social engineering, malicious advertising (malvertising), and search engine optimization (SEO) campaigns. The stolen data often ends up in underground markets as “logs,” which are packages of credentials and data from compromised machines that are priced in accordance with their perceived value. This mass collection of data has posed a problem for consumer and enterprise security. A home-based employee might use a personal computer that has been compromised by an infostealer to log in to some of their work accounts, which are then stolen. Although enterprise security products may be able to spot signs and block the reuse of stolen credentials, it’s still a common attack vector.

Lumma has been one of the most popular infostealers. It was developed by the threat actor Shamel aka lumma, HellsCoder and believed to be based in Russia. It first appeared on Russian-language cybercriminal forums in 2022 and gained market share because it is effective, easy to use, and difficult for security applications to detect. Lumma also offered its own marketplace where the stolen data could be sold. To give a perspective on the reach of this malware, from April 2024 to June 2024, Lumma’s market had more than 21,000 listings that sold “logs” or batches of data that Lumma captured.

To read the complete article see: Lumma infostealer case study

---