Blog
/

Inside the SOC

/
September 6, 2023

The Rise of the Lumma Info-Stealer | Malware-as-a-Service

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
06
Sep 2023
The emergence of Lumma Stealer, an information stealer that has recently been observed across the Darktrace fleet. Learn more about this new threat!

What are Malware-as-a-Service information stealers?

The Malware-as-a-Service (MaaS) model continues provide would-be threat actors with an inexpensive and relatively straightforward way to carry out sophisticated cyber attacks and achieve their nefarious goals. One common type of MaaS are information stealers that specialize in gathering and exfiltrating sensitive data, such as login credentials and bank details, from affected devices, potentially resulting in significant financial losses for organizations and individuals alike.

What is Lumma Information Stealer?

One such information stealer, dubbed “Lumma”, has been advertised and sold on numerous dark web forums since 2022. Lumma stealer primarily targets cryptocurrency wallets, browser extensions and two-factor authentication (2FA), before ultimately stealing sensitive information from compromised machines. The number of sightings of this malware being distributed on dark web forums is on the rise [1], and thus far, more than a dozen command-and-control (C2) servers have been observed in the wild.

Between January and April 2023, Darktrace observed and investigated multiple instances of Lumma stealer activity across the customer base. Thanks to its anomaly-based approach to threat detection, Darktrace / NETWORK is able to successfully identify and provide visibility over activity associated with such info-stealers, from C2 activity through to the eventual exfiltration of sensitive data.

Lumma Stealer Background

Lumma stealer, previously known as LummaC2, is a subscription-based information stealer that has been observed in the wild since 2022.

It is believed to have been developed by the threat actor “Shamel”, under the the alias “Lumma”. The info-stealer has been advertised on dark web forums and also a channel on the Telegram messenger server, which boasts over a thousand subscribers as of May 2023 [2], and is also available on Lumma’s official seller page for as little as USD 250 (Figure 1).

LummaC2’s official seller website
Figure 1: LummaC2’s official seller website [3].

Research on the Russian Market selling stolen credentials has shown that Lumma stealer has been an emerging since early 2023, and joins the list of info stealers that have been on the rise, including Vidar and Racoon [1].

Similar to other info-stealers, Lumma is able to obtain system and installed program data from compromised devices, alongside sensitive information such as cookies, usernames and passwords, credit card numbers, connection history, and cryptocurrency wallet data.

Between January and April 2023, Darktrace has observed Lumma malware activity across multiple customer deployments mostly in the EMEA region, but also in the US. This included data exfiltration to external endpoints related to the Lumma malware. It is likely that this activity resulted from the download of trojanized software files or users falling victim to malicious emails containing Lumma payloads.

Lumma Attack Details and Darktrace Coverage

Typically, Lumma has been distributed disguised as cracked or fake popular software like VLC or ChatGPT. Recently though, threat actors have also delivered the malware through emails containing payloads in the form of attachments or links impersonating well-known companies. For example, in February 2023, a streamer in South Korea was targeted with a spear-phishing email in which the sender impersonated the video game company Bandai Namco [4].

Lumma is known to target Windows operating systems from Windows 7 to 11 and at least 10 different browsers including Google Chrome, Microsoft Edge, and Mozilla Firefox [5]. It has also been observed targeting crypto wallets like Binance and Ethereum, as well as crypto wallet and 2FA browser extensions like Metamask and Authenticator respectively [6]. Data from applications such as AnyDesk or KeePass can also be exfiltrated by the malware [7].

An infection with Lumma can lead to the user's information being abused for fraud, for example, using stolen credentials to hijack bank accounts, which in turn could result in significant financial losses.

Once the targeted data is obtained, it is exfiltrated to a C2 server, as Darktrace has observed on multiple customer environments affected with Lumma stealer. Darktrace identified multiple infected devices exfiltrating data via HTTP POST requests to known Lumma C2 servers. During these connections, Darktrace commonly observed the URI “/c2sock” and the user agent “TeslaBrowser/5.5”.

In one instance, Darktrace detected a device using the “TeslaBrowser/5.5” user agent, which it recognized as a new user agent for this device, whilst making a HTTP post request to an unusual IP address, 82.117.255[.]127 (Figure 3). Darktrace’s Self-Learning AI understood that this represented a deviation from expected behavior for this device and brought it to the attention of the customer’s security team.

Device Event Log on the Darktrace Threat Visualizer showing activity from a device infected with Lumma stealer and the models it breached.
Figure 2: Device Event Log on the Darktrace Threat Visualizer showing activity from a device infected with Lumma stealer and the models it breached.

Further investigation revealed that accessing the IP address using a web browser and changing the the URI to “/login”, would take a user to a Russian Lumma control panel access page (Figure 4)

 One of Lumma stealer’s C2 servers accessed via a web browser in a secured environment.
Figure 3: One of Lumma stealer’s C2 servers accessed via a web browser in a secured environment.

A deep dive into the packet captures (PCAP) of the HTTP POST requests taken from one device also confirmed that browser data, including Google Chrome history files, system information in the form of a System.txt file, and other program data such as AnyDesk configuration files were being exfiltrated from the customer’s network(Figures 5 and 6).

HTTP objects observed during Lumma Stealer POSTing of data to another one of its  C2 servers.
Figure 4: HTTP objects observed during Lumma Stealer POSTing of data to another one of its  C2 servers.
PCAP of HTTP stream showing the different types of data being exfiltrated.
Figure 5: PCAP of HTTP stream showing the different types of data being exfiltrated.

Additionally, on one particular device, Darktrace observed malicious external connections related to other malware strains, like Laplas Clipper, Raccoon Stealer, Vidar, RedLine info-stealers and trojans, around the same time as the Lumma C2 connections. These info-stealers are commonly marketed as MaaS and can be bought and used for a relatively inexpensive price by even the most inexperienced threat actors. It is also likely that the developers of these info-stealers have been making efforts to integrate their strains into the activities of traffer teams [8], organized cybercrime groups who specialize in credential theft with the use of info-stealers.

Conclusion

Mirroring the general emergence and rise of information stealers across the cyber threat landscape, Lumma stealer continues to represent a significant concern to orgaizations and individuals alike.

Moreover, as yet another example of MaaS, Lumma is readily available for threat actors to launch their attacks, regardless of their level of expertise, meaning the number of incidents is only likely to rise. As such, it is essential for organizations to have security measures in place that are able to recognize unusual behavior that may be indicative of an info-stealer compromise, while not relying on a static list of indicators of compromise (IoCs).

Darktrace's anomaly-based detection enabled it to uncover the presence of Lumma across multiple customer environments across different regions and industries. From the detection of unusual connections to C2 infrastructure to the ultimate exfiltration of customer data, Darktrace provided affected customers full visibility over Lumma infections, allowing them to identify compromised devices and take action to prevent further data loss and reduce the risk of incurring significant financial losses.

Insights from Darktrace’s First 6: Half-year threat report for 2024

First 6: half year threat report darktrace screenshot

Darktrace’s First 6: Half-Year Threat Report 2024 highlights the latest attack trends and key threats observed by the Darktrace Threat Research team in the first six months of 2024.

  • Focuses on anomaly detection and behavioral analysis to identify threats
  • Maps mitigated cases to known, publicly attributed threats for deeper context
  • Offers guidance on improving security posture to defend against persistent threats

Appendices

Credit to: Emily Megan Lim, Cyber Security Analyst, Signe Zaharka, Senior Cyber Security Analyst

Darktrace DETECT Models

·      Anomalous Connection / New User Agent to IP Without Hostname  

·      Device / New User Agent and New IP

·      Device / New User Agent

·      Anomalous Connection / Posting HTTP to IP Without Hostname

Cyber AI Analyst Incidents

·      Possible HTTP Command and Control

·      Possible HTTP Command and Control to Multiple Endpoints

List of IoCs

IoC - Type - Description + Confidence

144.76.173[.]247

IP address

Lumma C2 Infrastructure

45.9.74[.]78

IP address

Lumma C2 Infrastructure

77.73.134[.]68

IP address

Lumma C2 Infrastructure

82.117.255[.]127

IP address

Lumma C2 Infrastructure

82.117.255[.]80

IP address

Lumma C2 Infrastructure

82.118.23[.]50

IP address

Lumma C2 Infrastructure

/c2sock

URI

Lumma C2 POST Request

TeslaBrowser/5.5

User agent

Lumma C2 POST Request

MITRE ATT&CK Mapping

Tactic: Command and Control -

Technique: T1071.001 – Web Protocols

References

[1] https://www.kelacyber.com/wp-content/uploads/2023/05/KELA_Research_Infostealers_2023_full-report.pdf

[2] https://www.bleepingcomputer.com/news/security/the-new-info-stealing-malware-operations-to-watch-out-for/

[3] https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/

[4] https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7

[5] https://socradar.io/malware-analysis-lummac2-stealer/

[6] https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer

[7] https://asec.ahnlab.com/en/50594/

[8] https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Emily Megan Lim
Cyber Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

January 28, 2025

/

Inside the SOC

Bytesize Security: Insider Threats in Google Workspace

Default blog imageDefault blog image

What is an insider threat?

An insider threat is a cyber risk originating from within an organization. These threats can involve actions such as an employee inadvertently clicking on a malicious link (e.g., a phishing email) or an employee with malicious intent conducting data exfiltration for corporate sabotage.

Insiders often exploit their knowledge and access to legitimate corporate tools, presenting a continuous risk to organizations. Defenders must protect their digital estate against threats from both within and outside the organization.

For example, in the summer of 2024, Darktrace / IDENTITY successfully detected a user in a customer environment attempting to steal sensitive data from a trusted Google Workspace service. Despite the use of a legitimate and compliant corporate tool, Darktrace identified anomalies in the user’s behavior that indicated malicious intent.

Attack overview: Insider threat

In June 2024, Darktrace detected unusual activity involving the Software-as-a-Service (SaaS) account of a former employee from a customer organization. This individual, who had recently left the company, was observed downloading a significant amount of data in the form of a “.INDD” file (an Adobe InDesign document typically used to create page layouts [1]) from Google Drive.

While the use of Google Drive and other Google Workspace platforms was not unexpected for this employee, Darktrace identified that the user had logged in from an unfamiliar and suspicious IPv6 address before initiating the download. This anomaly triggered a model alert in Darktrace / IDENTITY, flagging the activity as potentially malicious.

A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.
Figure 1: A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.

Following this detection, the customer reached out to Darktrace’s Security Operations Center (SOC) team via the Security Operations Support service for assistance in triaging and investigating the incident further. Darktrace’s SOC team conducted an in-depth investigation, enabling the customer to identify the exact moment of the file download, as well as the contents of the stolen documents. The customer later confirmed that the downloaded files contained sensitive corporate data, including customer details and payment information, likely intended for reuse or sharing with a new employer.

In this particular instance, Darktrace’s Autonomous Response capability was not active, allowing the malicious insider to successfully exfiltrate the files. If Autonomous Response had been enabled, Darktrace would have immediately acted upon detecting the login from an unusual (in this case 100% rare) location by logging out and disabling the SaaS user. This would have provided the customer with the necessary time to review the activity and verify whether the user was authorized to access their SaaS environments.

Conclusion

Insider threats pose a significant challenge for traditional security tools as they involve internal users who are expected to access SaaS platforms. These insiders have preexisting knowledge of the environment, sensitive data, and how to make their activities appear normal, as seen in this case with the use of Google Workspace. This familiarity allows them to avoid having to use more easily detectable intrusion methods like phishing campaigns.

Darktrace’s anomaly detection capabilities, which focus on identifying unusual activity rather than relying on specific rules and signatures, enable it to effectively detect deviations from a user’s expected behavior. For instance, an unusual login from a new location, as in this example, can be flagged even if the subsequent malicious activity appears innocuous due to the use of a trusted application like Google Drive.

Credit to Vivek Rajan (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

SaaS / Resource::Unusual Download Of Externally Shared Google Workspace File

References

[1]https://www.adobe.com/creativecloud/file-types/image/vector/indd-file.html

MITRE ATT&CK Mapping

Technqiue – Tactic – ID

Data from Cloud Storage Object – COLLECTION -T1530

Continue reading
About the author
Vivek Rajan
Cyber Analyst

Blog

/

January 28, 2025

/
No items found.

Reimagining Your SOC: How to Achieve Proactive Network Security

Default blog imageDefault blog image

Introduction: Challenges and solutions to SOC efficiency

For Security Operation Centers (SOCs), reliance on signature or rule-based tools – solutions that are always chasing the latest update to prevent only what is already known – creates an excess of false positives. SOC analysts are therefore overwhelmed by a high volume of context-lacking alerts, with human analysts able to address only about 10% due to time and resource constraints. This forces many teams to accept the risks of addressing only a fraction of the alerts while novel threats go completely missed.

74% of practitioners are already grappling with the impact of an AI-powered threat landscape, which amplifies challenges like tool sprawl, alert fatigue, and burnout. Thus, achieving a resilient network, where SOC teams can spend most of their time getting proactive and stopping threats before they occur, feels like an unrealistic goal as attacks are growing more frequent.

Despite advancements in security technology (advanced detection systems with AI, XDR tools, SIEM aggregators, etc...), practitioners are still facing the same issues of inefficiency in their SOC, stopping them from becoming proactive. How can they select security solutions that help them achieve a proactive state without dedicating more human hours and resources to managing and triaging alerts, tuning rules, investigating false positives, and creating reports?

To overcome these obstacles, organizations must leverage security technology that is able to augment and support their teams. This can happen in the following ways:

  1. Full visibility across the modern network expanding into hybrid environments
  2. Have tools that identifies and stops novel threats autonomously, without causing downtime
  3. Apply AI-led analysis to reduce time spent on manual triage and investigation

Your current solutions might be holding you back

Traditional cybersecurity point solutions are reliant on using global threat intelligence to pattern match, determine signatures, and consequently are chasing the latest update to prevent only what is known. This means that unknown threats will evade detection until a patient zero is identified. This legacy approach to threat detection means that at least one organization needs to be ‘patient zero’, or the first victim of a novel attack before it is formally identified.

Even the point solutions that claim to use AI to enhance threat detection rely on a combination of supervised machine learning, deep learning, and transformers to

train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. The resulting homogenized dataset gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.

While using AI in this way reduces the workload of security teams who would traditionally input this data by hand, it emanates the same risk – namely, that AI systems trained on known threats cannot deal with the threats of tomorrow. Ultimately, it is the unknown threats that bring down an organization.

The promise and pitfalls of XDR in today's threat landscape

Enter Extended Detection and Response (XDR): a platform approach aimed at unifying threat detection across the digital environment. XDR was developed to address the limitations of traditional, fragmented tools by stitching together data across domains, providing SOC teams with a more cohesive, enterprise-wide view of threats. This unified approach allows for improved detection of suspicious activities that might otherwise be missed in siloed systems.

However, XDR solutions still face key challenges: they often depend heavily on human validation, which can aggravate the already alarmingly high alert fatigue security analysts experience, and they remain largely reactive, focusing on detecting and responding to threats rather than helping prevent them. Additionally, XDR frequently lacks full domain coverage, relying on EDR as a foundation and are insufficient in providing native NDR capabilities and visibility, leaving critical gaps that attackers can exploit. This is reflected in the current security market, with 57% of organizations reporting that they plan to integrate network security products into their current XDR toolset[1].

Why settling is risky and how to unlock SOC efficiency

The result of these shortcomings within the security solutions market is an acceptance of inevitable risk. From false positives driving the barrage of alerts, to the siloed tooling that requires manual integration, and the lack of multi-domain visibility requiring human intervention for business context, security teams have accepted that not all alerts can be triaged or investigated.

While prioritization and processes have improved, the SOC is operating under a model that is overrun with alerts that lack context, meaning that not all of them can be investigated because there is simply too much for humans to parse through. Thus, teams accept the risk of leaving many alerts uninvestigated, rather than finding a solution to eliminate that risk altogether.

Darktrace / NETWORK is designed for your Security Operations Center to eliminate alert triage with AI-led investigations , and rapidly detect and respond to known and unknown threats. This includes the ability to scale into other environments in your infrastructure including cloud, OT, and more.

Beyond global threat intelligence: Self-Learning AI enables novel threat detection & response

Darktrace does not rely on known malware signatures, external threat intelligence, historical attack data, nor does it rely on threat trained machine learning to identify threats.

Darktrace’s unique Self-learning AI deeply understands your business environment by analyzing trillions of real-time events that understands your normal ‘pattern of life’, unique to your business. By connecting isolated incidents across your business, including third party alerts and telemetry, Darktrace / NETWORK uses anomaly chains to identify deviations from normal activity.

The benefit to this is that when we are not predefining what we are looking for, we can spot new threats, allowing end users to identify both known threats and subtle, never-before-seen indicators of malicious activity that traditional solutions may miss if they are only looking at historical attack data.

AI-led investigations empower your SOC to prioritize what matters

Anomaly detection is often criticized for yielding high false positives, as it flags deviations from expected patterns that may not necessarily indicate a real threat or issues. However, Darktrace applies an investigation engine to automate alert triage and address alert fatigue.

Darktrace’s Cyber AI Analyst revolutionizes security operations by conducting continuous, full investigations across Darktrace and third-party alerts, transforming the alert triage process. Instead of addressing only a fraction of the thousands of daily alerts, Cyber AI Analyst automatically investigates every relevant alert, freeing up your team to focus on high-priority incidents and close security gaps.

Powered by advanced machine-learning techniques, including unsupervised learning, models trained by expert analysts, and tailored security language models, Cyber AI Analyst emulates human investigation skills, testing hypotheses, analyzing data, and drawing conclusions. According to Darktrace Internal Research, Cyber AI Analyst typically provides a SOC with up to  50,000 additional hours of Level 2 analysis and written reporting annually, enriching security operations by producing high level incident alerts with full details so that human analysts can focus on Level 3 tasks.

Containing threats with Autonomous Response

Simply quarantining a device is rarely the best course of action - organizations need to be able to maintain normal operations in the face of threats and choose the right course of action. Different organizations also require tailored response functions because they have different standards and protocols across a variety of unique devices. Ultimately, a ‘one size fits all’ approach to automated response actions puts organizations at risk of disrupting business operations.

Darktrace’s Autonomous Response tailors its actions to contain abnormal behavior across users and digital assets by understanding what is normal and stopping only what is not. Unlike blanket quarantines, it delivers a bespoke approach, blocking malicious activities that deviate from regular patterns while ensuring legitimate business operations remain uninterrupted.

Darktrace offers fully customizable response actions, seamlessly integrating with your workflows through hundreds of native integrations and an open API. It eliminates the need for costly development, natively disarming threats in seconds while extending capabilities with third-party tools like firewalls, EDR, SOAR, and ITSM solutions.

Unlocking a proactive state of security

Securing the network isn’t just about responding to incidents — it’s about being proactive, adaptive, and prepared for the unexpected. The NIST Cybersecurity Framework (CSF 2.0) emphasizes this by highlighting the need for focused risk management, continuous incident response (IR) refinement, and seamless integration of these processes with your detection and response capabilities.

Despite advancements in security technology, achieving a proactive posture is still a challenge to overcome because SOC teams face inefficiencies from reliance on pattern-matching tools, which generate excessive false positives and leave many alerts unaddressed, while novel threats go undetected. If SOC teams are spending all their time investigating alerts then there is no time spent getting ahead of attacks.

Achieving proactive network resilience — a state where organizations can confidently address challenges at every stage of their security posture — requires strategically aligned solutions that work seamlessly together across the attack lifecycle.

References

1.       Market Guide for Extended Detection and Response, Gartner, 17thAugust 2023 - ID G00761828

Continue reading
About the author
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Your data. Our AI.
Elevate your network security with Darktrace AI