Threat behavior
The infection chain often begins when a user visits a compromised or malicious website hosting a fake Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA). Instead of a real test, the page instructs the victim to press Win+R and paste a command, which is already copied to their clipboard. This command typically uses the legitimate Windows utility mshta.exe to launch a remote JavaScript file disguised as a media file.
This script initiates a multi-stage process:
- A PowerShell script is commonly downloaded, which retrieves a ZIP archive from a content delivery network (CDN) like https://win15.b-cdn[.]net/win15[.]zip.
- The contents are extracted into a hidden directory within %AppData%, such as %AppData%\7oCDTWYu\.
- The extracted binary, often named Set-up.exe, is then executed.
- To achieve persistence, the malware modifies the Windows Registry, creating a new entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with a random name that points to the path of the malicious binary.
- It also alters Internet Settings registry keys, changing ZoneMap\UNCAsIntranet from 1 to 0 and ZoneMap\AutoDetectfrom 0 to 1, to lower security zones for network shares.
The malware employs advanced evasion techniques like process hollowing, injecting its payload into legitimate system processes such as msbuild.exe, regasm.exe, or explorer.exe to mask its activity. It scans the device for specific data, targeting web browsers, cryptocurrency wallet files like MetaMask and Exodus, plus all documents containing keywords like "wallet" or "password." Exfiltrated data is sent to command-and-control (C2) servers via HTTPS POST requests.
LummaStealer then communicates with hardcoded domains, many using the .shop TLD like futureddospzmvq[.]shop and writerospzm[.]shop, which are often obfuscated and hidden behind Cloudflare proxies. Known C2 server IPs include 82.117.255[.]127 and 77.73.134[.]68. A consistent indicator is the use of the unique user agent TeslaBrowser/5.5 for these communications. If these primary C2s are unreachable, the malware has fallback mechanisms, including retrieving new domain instructions from pre-defined Telegram channels or even decoding them from specific Steam profile names.
Files dropped by LummaStealer:
- %Windows%\PatriciaPlaylist
- %Windows%\BlackberrySystems
- %UserTemp%\Graham
- %UserTemp%\Massachusetts
- %UserTemp%\599044\k
It modifies the following registry key:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet (value set to 0)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect (value set to 1)
It modifies the following processes:
- explorer.exe
- regasm.exe
- msbuild.exe
- mshta.exe
Communicates to the following hosts:
- 82[.]117[.]255[.]127
- 77[.]73[.]134[.]68
- 144[.]76[.]173[.]247
Accesses or downloads from the following URLs:
- futureddospzmvq[.]shop
- writerospzm[.]shop
Prevention
To minimize exposure to Trojan:JS/LummaStealer, Microsoft recommends best practices such as:
- Use application allowlist or restriction policies to block binary files from running in high-risk locations, such as the %AppData% and %Temp% directories, which are commonly used during the infection chain.
- Block Microsoft Office apps from launching binary content.
- Prevent scripts like Javascript, PowerShell and HTA from initiating downloaded payloads without explicit authorization.
- Conduct regular training sessions to teach users how to identify sophisticated social engineering tricks, specifically fake CAPTCHA pages and phishing emails.
- Establish a clear policy: employees should never copy and execute commands from an untrusted website or pop-up window.
- Maintain a consistent program to apply security updates for all operating systems, browsers, and commonly targeted apps to eliminate known vulnerabilities.
- Monitor outbound network traffic for connections to newly registered or suspicious domains, particularly those using the .shop top-level domain (TLD).
- Investigate any HTTPS traffic using the unique TeslaBrowser/5.5 user agent string, a known indicator of LummaStealer command-and-control communication.
- Adhere to the principle of least privilege by ensuring users do not have administrative rights on their local workstations, preventing the execution of system-level changes by malware.
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
