Law enforcement seizes infrastructure distributing popular Lumma Stealer malware
More good news for defenders -- although crooks have shown they can rebuild
International law enforcement agencies and Microsoft have knocked out the IT infrastructure that distributed the Lumma Stealer, a malware-as-a-service tool used by threat actors for stealing passwords, credit cards, bank accounts, and cryptocurrency wallets from infected computers.
The assault came in three waves:
—with a court order Microsoft’s Digital Crimes Unit seized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure;
—the U.S. Department of Justice (DOJ) simultaneously seized the central command structure for Lumma — used by subscribers to download the malware — and disrupted the marketplaces where the tool was sold to other cybercriminals;
—and Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) facilitated the suspension of locally-based Lumma infrastructure.
Seized domains will be redirected to Microsoft sinkholes to prevent more of the malware from being spread.
Microsoft telemetry identified over 394,000 Windows computers globally that were infected by the Luma malware. Lumma is easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses, Microsoft said, making it a go-to tool for cybercriminals and online threat actors, including prolific ransomware actors.
The operators of Lumma Stealer tried to react when the Justice Department seized two domains on Monday. The next day Lumma administrators told their subscribers of three new domains that they had set up to host the user panel. The U.S. promptly seized those three domains.
Typically threat actors using Lumma create phishing lures that impersonate brands — for example, a gang recently ran a scam claiming to be about hotel bookings for Booking.com — then add Lumma Stealer to a link that victims hopefully will click on. Once infected the malware captures sensitive data on the machine including login credentials.
Microsoft calls the group behind Lumma Stealer Storm-2477. Under its naming convention threat actors dubbed Storm are considered groups in development.
“This joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream,” Microsoft said in a blog.
“The co-ordinated takedown of Lumma Stealer’s infrastructure marks a pivotal moment in combating the proliferation of malware-as-a-service (MaaS) platforms,” said Ensar Seker, CISO at SOCRadar. “Lumma Stealer, also known as LummaC2, has been a formidable tool in the cybercriminal arsenal … Such actions not only disrupt the immediate threat but also send a clear message to cybercriminals about the increasing capabilities and resolve of global cybersecurity alliances. However, the resilience of such malware underscores the necessity for continuous vigilance. Lumma’s ability to adapt by employing phishing, malvertising, and exploiting trusted platforms highlights the evolving tactics of threat actors.
“While this takedown is a commendable achievement, it also serves as a reminder of the persistent and evolving nature of cyber threats. Ongoing collaboration between private sector entities and international law enforcement is essential to stay ahead.”