Hot Features
Premium
Trade like a pro: Leverage real-time discussions and market-moving ideas to outperform.
Since 2022, a notorious information-stealing malware known as “Lumma” has been actively promoted and traded on various dark web platforms. This malware is designed to infiltrate and extract data from cryptocurrency wallets, browser extensions, and two-factor authentication mechanisms. Its primary objective is to collect and exfiltrate sensitive data from infected systems. Reports indicate a growing presence of Lumma in underground markets, with over a dozen command-and-control (C2) servers identified operating in the wild.
Between January and April of 2023, Darktrace detected and analyzed several cases of Lumma-related activity within its client environments. Leveraging an anomaly-based detection strategy, Darktrace successfully tracked the entire chain of malicious behavior, from initial C2 communications to the final stages of data exfiltration, offering comprehensive visibility into the operations of this emerging threat.
Background on the Lumma Stealer
Lumma Stealer, originally referred to as LummaC2, is a subscription-based malware tool that has been active in the cybercriminal ecosystem since 2022. It is believed to have been developed by a threat actor using the alias “Lumma,” possibly tied to an individual known as “Shamel.” This infostealer has gained traction on dark web forums and has been promoted through a Telegram channel with over a thousand subscribers as of May 2023. Additionally, it is offered for sale on an official vendor site, with subscription prices starting at around USD 250.
Insights into the Russian cybercrime market reveal that Lumma has become increasingly prominent since early 2023, placing it alongside other rapidly spreading info-stealers such as Vidar and Raccoon.
Lumma functions similarly to other data-harvesting malware, collecting detailed information from compromised systems. This includes system metadata, installed applications, browser cookies, login credentials, credit card details, connection histories, and cryptocurrency wallet contents.
Between January and April 2023, Darktrace identified instances of Lumma-related activity across several client environments, predominantly in the EMEA region, with occurrences also noted in the United States. These incidents typically involved data exfiltration to external servers associated with Lumma operations. The infections are suspected to have stemmed from users downloading malicious software or interacting with phishing emails carrying the Lumma payload.
Lumma Attack Mechanics and Detection by Darktrace
Lumma is often delivered under the guise of cracked or counterfeit versions of widely used applications, such as VLC Media Player or ChatGPT. More recently, cybercriminals have adopted phishing tactics, sending emails that include malicious attachments or links disguised as legitimate communications from reputable companies. One notable example occurred in February 2023, when a South Korean streamer was targeted with a spear-phishing email impersonating the gaming company Bandai Namco.
This malware is tailored to exploit Windows operating systems ranging from Windows 7 to 11 and has been found capable of infiltrating at least ten different web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge. It also targets digital assets by focusing on cryptocurrency wallets such as Binance and Ethereum, as well as browser extensions related to crypto management and two-factor authentication, like Metamask and Authenticator. Additionally, Lumma can extract data from applications like AnyDesk and KeePass.
A successful Lumma infection can have severe consequences, such as identity theft or unauthorized access to financial accounts, potentially leading to significant monetary losses. Once the malware gathers the intended data, it transmits it to a command-and-control (C2) server. Darktrace has monitored such activities across numerous client environments, detecting infected devices that exfiltrated data using HTTP POST requests directed at known Lumma C2 infrastructure. These connections frequently featured the URI string “/c2sock” and the user agent label “TeslaBrowser/5.5,” signaling Lumma-related communication.
Case Example and Broader Malware Activity Observed by Darktrace
In one notable case, Darktrace detected a device utilizing the user agent “TeslaBrowser/5.5” during an HTTP POST request to an unfamiliar IP address—82.117.255[.]127. This user agent had not been seen previously on the device, and Darktrace’s Self-Learning AI immediately flagged the activity as anomalous. Recognizing it as a deviation from the device’s normal behavior, the AI alerted the organization’s security team to investigate further.
In another instance, a single device was found making malicious external connections not only linked to Lumma’s command-and-control servers but also associated with other well-known malware families such as Laplas Clipper, Raccoon Stealer, Vidar, RedLine, and other info-stealers and trojans. These strains, often distributed through Malware-as-a-Service (MaaS) models, are accessible at low cost, making them attractive even to less experienced cyber criminals.
It is also suspected that the developers behind these malware variants are actively working to incorporate their tools into the operations of traffic teams—organized cybercriminal groups that specialize in large-scale credential theft using info-stealers.
Conclusion
Reflecting the broader surge in the use of information stealers across the cyber threat landscape, Lumma remains a pressing threat to both organizations and individuals.
As another example of Malware-as-a-Service (MaaS), Lumma is easily accessible to attackers, regardless of their technical skill level. This accessibility increases the likelihood of widespread incidents. To combat this, organizations need to implement dynamic security strategies capable of detecting abnormal behavior that could signal an info-stealer intrusion—rather than relying solely on fixed indicators of compromise (IoCs).
Darktrace’s behavior-based detection approach played a critical role in identifying Lumma infections across various industries and regions. By recognizing abnormal connections to command-and-control infrastructure and tracking the full data exfiltration process, Darktrace equipped affected organizations with the visibility needed to pinpoint compromised systems, respond effectively, and mitigate the potential for extensive financial and data loss.
Learn from market wizards: Books to take your trading to the next level
