Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
On January 21, 2025, the eSentire Threat Response Unit (TRU) identified new changes made to Lumma Stealer involving the usage of the ChaCha20 cipher for config decryption and has created a python script available here to aid in extracting the new config format.
These changes provide insight into the evasive tactics employed by the developer(s) who are actively working to circumvent current extraction and analysis tools.
Lumma Stealer (aka LummaC2 Stealer) is an information stealer malware that operates as a Malware-as-a-Service (MaaS) sold primarily in underground Russian-speaking forums. Lumma Stealer is commonly delivered through the ClickFix initial access method, where end-users are socially engineered into copying and executing malicious PowerShell commands provided by the threat actor(s). While ClickFix is the most prevalent initial access method, other initial access techniques have also been observed.
In recent cases analyzed by TRU, the infection process begins when the victim visits a compromised website or landing page for ClickFix. The ClickFix page stores a malicious command in the victim’s clipboard and the victim is instructed to open a Run Prompt via the keyboard shortcut “Windows Key + R”, press the keyboard shortcut “Ctrl + V” (to paste in the copied command), and finally press the “Enter” key to execute the malicious command.
The next figure shows a truncated portion of the ChaCha20 subroutine that is now used by Lumma for config decryption. This routine is passed several parameters, including a structure containing the ChaCha20 magic (16 bytes), 32-byte key, 8-byte nonce, encrypted C2 data, and the size of the encrypted data.
Note that the 8-byte nonce is padded with four null bytes.
After unpacking the sample with SHA-256 7e286bb4491124116ba61ab0029b41862d502e4feee5420e0aa5ee4a29e722fa, and viewing it in a hex editor, we can see the 32-byte key and 8-byte nonce.
Note that this key and nonce differ from sample to sample.
eSentire's Lumma config decryption script can be found here. After running the script, the following C2 information was extracted:
What did we do?
- Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
- We communicated what happened with the customer and helped them with remediation efforts.
What can you learn from this TRU Positive?
- Lumma Stealer is a sophisticated information stealer that was recently updated to circumvent existing extraction and analysis systems.
- Blue teams can use the information included in this TRU Positive for tracking, extracting, and identifying Lumma campaigns and C2s.
Recommendations from the Threat Response Unit (TRU):
-
Disable the Run prompt via GPO:
- User Configuration > Administrative Templates > Start Menu and Taskbar > Enable “Remove Run menu from Start Menu”
-
Disable wscript.exe via AppLocker GPO or Windows Defender Application Control (WDAC):
- C:\Windows\System32\WScript.exe
- C:\Windows\Syswow64\WScript.exe
- *:\Windows\System32\WScript.exe (* represents wildcard to include other drive letter rather than C drive)
- *:\Windows\SysWOW64\WScript.exe (* represents wildcard to include other drive letter rather than C drive)
-
Disable mshta.exe via AppLocker GPO or Windows Defender Application Control (WDAC):
- C:\Windows\System32\mshta.exe
- C:\Windows\Syswow64\mshta.exe
- *:\Windows\System32\mshta.exe (* represents wildcard to include other drive letter rather than C drive)
- *:\Windows\SysWOW64\mshta.exe (* represents wildcard to include other drive letter rather than C drive)
- Employ email filtering and protection measures.
- Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats.
- Implement a Phishing and Security Awareness Training (PSAT) program that educates your employees using real-world scenarios.
References
- https://www.esentire.com/security-advisories/lumma-stealer-clickfix-distribution
- https://www.esentire.com/blog/lummac2-malware-and-malicious-chrome-extension-delivered-via-dll-side-loading
- https://www.esentire.com/blog/the-case-of-lummac2-v4-0
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level MDR, connect with an eSentire Security Specialist now.
GET STARTEDABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.