Behind the Attack: LUMMA Malware

Cyber Security Threat Summary:
Researchers at Perception Point recently unveiled a sophisticated malware attack aimed at bypassing threat detection systems. The attack involves impersonating a financial services company via a fake invoice email. The email includes a button that leads to an unavailable website which urges users to visit a seemingly legitimate link for the invoice. The clever evasion tactic involves two links: one leading to an error page and the other to a seemingly safe website. However, clicking the latter triggers a chain leading to the download of a JavaScript file containing malicious payloads. The malware executes three suspicious processes from atypical locations “1741[.]exe” from the temporary folder, “RegSvcs[.]exe” from the Microsoft.NET framework folder, and “wmpnscfg[.]exe” from the Windows Media Player folder. They’re launched with deliberate parent processes and specific Process IDs to obfuscate malicious activities.

Security Officer Comments:
The attack deploys Lumma, an Infostealer malware notorious for its data theft capabilities, written in C. This malware operates within a Malware-as-a-Service framework, allowing cybercriminals to access and utilize its malicious functionalities easily. Lumma’s infiltration underscores the prevalence of sophisticated Malware-as-a-Service models in today’s threat landscape.

Suggested Correction(s):

This event emphasizes how threat actors are adapting their tactics and emphasizes the importance for organizations to assess the effectiveness of their security systems. Researcher recommend employing advanced threat protection technologies, ongoing monitoring and a multi-layered security strategy to efficiently detect malware attacks and counter complex cyber threats.