Microsoft’s long and patient hunt for the Lumma Stealer malware finally paid off big
Microsoft and international law enforcement have executed a court-approved operation to dismantle Lumma Stealer, a widespread info-stealing malware that had infected over 394,000 Windows computers worldwide, with most cases reported in Brazil, Europe, and the U.S.
Microsoft has been tracking Lumma Stealer since June 2023, and considered it a significant threat. The company collaborated with Brazilian and German authorities, as well as the FBI, in the action against the malware operators.
Lumma’s code is based on the Bodhinder malware, and is sold as a service (MaaS) model. This enables novice cybercriminals to deploy the malware without extensive coding knowledge. Microsoft observed that the malware is priced between $75 and $500, depending on the features accessed.
The malware targets numerous applications, including:
- Browsers: Chrome, Firefox, Opera, Edge, and Brave.
- Gaming platforms: Steam, Epic Games, and Discord.
- Communication apps: Telegram, WhatsApp.
- Password managers: KeePass
- Cryptocurrency wallets: Various desktop and mobile wallets
Microsoft said the malware attempts to evade detection by employing various tactics, including:
- Process injection into legitimate system processes.
- Direct Kernel Object Manipulation (DKOM) to hide malicious code.
- Encryption of configuration data.
The company detailed that they were able to disrupt the malware operations by analyzing the Lumma’s code and network traffic to identify and seize the command and control servers.
Microsoft and law enforcement have joined forces to dismantle Lumma, a widespread malware operation affecting over 394,000 Windows PCs worldwide, with a significant presence in Brazil, Europe, and the United States.
The collaborative effort resulted in a court-authorized action to seize 2,300 domains that acted as Lumma’s command and control servers, alongside five domains directly used by the operation. Microsoft initiated civil action to achieve this disruption, with support from the Justice Department, Brazilian, and German authorities, as well as the FBI.
Lumma is a password-stealing malware discovered on computers where users downloaded cracked games and applications. Upon infection, the malware harvests credentials, credit cards, and cryptocurrency wallets, subsequently selling this stolen information to cybercriminals. It also serves as a backdoor allowing hackers to deploy additional malware, even ransomware.
Microsoft has been tracking Lumma since June 2023, recognizing it as a considerable threat. The malware’s code is derived from Bodhinder and operates on a malware-as-a-service (MaaS) model, empowering less experienced cybercriminals to deploy it without deep coding expertise. Pricing ranges between $75 and $500, depending on the selected features.
The malware’s targets encompass a broad array of platforms and applications, including popular web browsers like Chrome, Firefox, Opera, Edge, and Brave, as well as gaming platforms such as Steam, Epic Games, and Discord. It also targets communication apps like Telegram and WhatsApp, password managers like KeePass, and various desktop and mobile cryptocurrency wallets.
To evade detection, Lumma employs a series of sophisticated techniques. These include process injection into legitimate system processes, Direct Kernel Object Manipulation (DKOM) to conceal malicious code, and encryption of configuration data.
Microsoft successfully disrupted the malware’s operations by thoroughly analyzing its code and network traffic, enabling the identification and seizure of its command and control servers.