FBI and Europol Successfully Disrupt Lumma Stealer Malware Network Associated with 10 Million Infections

A global collaborative operation led by law enforcement agencies and private cybersecurity firms has effectively disrupted the online infrastructure associated with the Lumma (also known as LummaC or LummaC2) information stealer. This initiative resulted in the seizure of approximately 2,300 domains that functioned as the command-and-control (C2) backbone for managing infected Windows systems.

LummaC2 is primarily designed to extract sensitive information, including user login credentials from millions of victims, thereby enabling various fraudulent activities such as bank transfers and cryptocurrency theft. This assertion was supported by a statement from the U.S. Department of Justice (DoJ).

The dismantled infrastructure had been utilized to target millions globally, operating through a network of affiliates and other cybercriminals. Active since late 2022, the Lumma Stealer is estimated to have engaged in around 1.7 million instances of data theft, compromising browser information, autofill data, login credentials, and cryptocurrency seed phrases. The U.S. Federal Bureau of Investigation (FBI) has reported approximately 10 million infections attributed to the Lumma threat.

Among the significant operational outcomes of this seizure is the disabling of five key domains that acted as login interfaces for Lumma Stealer’s administrators and clients, thereby obstructing further compromises of affected systems.

During a targeted timeframe from March 16 to May 16, 2023, Microsoft identified over 394,000 Windows computers globally as infected by the Lumma malware. Europol described the operation as a crucial measure to sever the communication links between the malware and its victimized targets, branding Lumma as the “world’s most significant infostealer threat.”

The Digital Crimes Unit (DCU) of Microsoft, in collaboration with various cybersecurity partners including ESET, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, undertook the takedown of these malicious domains that formed the backbone of Lumma’s operational framework.

The development of the Lumma malware, attributed to a primary developer operating under the alias “Shamel,” underscores a disturbing trend in cybercrime. This developer offers tiered malware services via online platforms, which allow criminals to create custom versions of the malware, enlist tools for obfuscation and distribution, and monitor stolen data through a centralized portal.

The Lumma Stealer operates under a malware-as-a-service (MaaS) model, with subscription prices ranging from $250 to $1,000, up to a premium plan that costs $20,000, providing buyers access to source code and resale rights. Lower tier packages may offer basic functionalities, while higher tiers include options for advanced data collection and enhanced evasion tools.

Lumma has gained notoriety due to its various distribution methods, including the exploitation of the ClickFix technique. Microsoft, tracking the operators under the name Storm-2477, noted that their distribution setup is dynamic, incorporating a combination of phishing, malvertising, and drive-by download schemes, as well as exploiting trusted platforms.

Recent intelligence suggests that suspected Russian cybercriminals are leveraging cloud storage services to host deceptive reCAPTCHA pages, further employed in ClickFix-style tactics to lure users into inadvertently downloading the Lumma Stealer. These evolving tactics reveal a significant advancement in their operational methodologies, targeted at effectively evading detection and exploiting more technically skilled individuals.

Key characteristics of the Lumma malware include:

– A multi-tiered C2 infrastructure comprised of nine frequently changing tier-1 domains, with fallback options hosted on varied platforms.
– Payload dissemination via pay-per-install networks or traffic seller services that implement installs-as-a-service.
– Bundling with counterfeit software or cracked versions of popular applications to mislead users seeking free access.
– A dedicated marketplace on Telegram, facilitating the sale of stolen data directly between criminals.
– Advanced obfuscation techniques employed to protect the core binary, making static analysis by security researchers significantly challenging.
– An observable increase, exceeding 21,000 market listings for Lumma Stealer logs across cybercriminal forums, emphasizing a rising trend in illicit activity.

Microsoft acknowledges the adaptability of the Lumma Stealer distribution network, noting continual refinement in methods and the use of legitimate cloud services to obscure malicious domains, further complicating investigative efforts.

This ongoing evolution within cybercrime underscores the critical need for enhanced security measures and collaborative efforts within the cybersecurity community to mitigate such threats and protect sensitive information. The developer of Lumma has hinted at intentions to cease operations in the near future, showcasing the complexity and duality of pride within the underground malware community.