Skip to content

Lumma Stealer gains traction in India, USA through Telegram channels

  • by
  • 3 min read

Lumma Stealer, a potent information-stealing malware, has been leveraging Telegram to distribute its malicious payloads. This new tactic highlights a growing trend of attackers exploiting popular platforms to distribute malware in India, the US, and Europe, often bypassing traditional security measures.

Researchers discovered that Telegram channels offering seemingly benign software, such as cracked versions of popular applications, have been identified as vehicles for spreading Lumma Stealer. Two channels, in particular, ‘hitbase’ and ‘sharmamod,’ were flagged by researchers from McAfee for their role in distributing this malware.

With tens of thousands of subscribers, these channels serve as a front for disseminating harmful files that, once downloaded, can compromise users’ sensitive data.

The malware is often disguised as legitimate software, including cracked versions of popular applications like CCleaner. Once downloaded, the file is usually a compressed RAR archive containing Microsoft DLL files along with a .NET executable disguised as a harmless program.

India is the country most heavily targeted by the Lumma Stealer malware, which is distributed through Telegram, followed by US and Europe. | Source: McAfee

In this instance, the malware contains encrypted data that, once decrypted, reveals further instructions for the attacker’s actions. The first stage of decryption exposes a process injection technique, allowing the malware to inject code into a legitimate process — RegAsm.exe, in this case.

This technique is often used to bypass detection, as it makes the malware appear as if it is part of a legitimate process.

As the malware’s layers unfold, researchers observed that it drops additional payloads into the victim’s system, including the Lumma Stealer and a Clipper — another malware designed to hijack cryptocurrency transactions.

Telegram channels distribute malicious APKs. | Source: McAfee

The Lumma Stealer specifically targets personal and financial data, collecting system information, wallet data, and other sensitive details. Using the ‘winhttp.dll’ library, Lumma Stealer communicates with command-and-control (C2) servers, exfiltrating the stolen data to remote locations for further exploitation.

What makes Lumma Stealer particularly insidious is its ability to obfuscate its communications, using techniques like Base64 encoding to mask the true nature of its connections. The malware even extracts information from Steam, a popular gaming platform, to hide its tracks, making detection harder for traditional antivirus solutions.

In addition to data theft, the second-stage payload, known as the ‘Clipper,’ hijacks cryptocurrency wallet addresses. The malware uses a clipboard monitoring function that scans for wallet addresses and replaces them with those controlled by the attacker. This method allows the malware to siphon off cryptocurrency without the victim’s knowledge, targeting users who store digital assets in their wallets.

Telegram has been a popular tool for threat actors to distribute malware. For example, cyber crooks exploited Telegram’s zero-day to spread malicious APKs.

In the News: I2Parcae targets victims via fake support emails and CAPTCHA tricks

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>