infostealer malware Archives

Winsage

May 25, 2025

Windows Passwords Are Under Attack — Do These 7 Things Now

Microsoft Windows is a target for cybercriminals, particularly regarding password theft. Trend Micro has reported an increase in fraudulent Captcha attacks that trick users into executing malicious commands through the Windows Run dialog, leading to data theft and malware infections. These attacks utilize PowerShell and can deploy various malware types, including Lumma Stealer and AsyncRAT. Despite efforts to disrupt the Lumma Stealer network, threats persist, exploiting legitimate platforms. Microsoft recommends users adopt safer online practices and outlines seven mitigations for organizations: disable access to the Run dialog, apply least privilege, restrict access to unapproved tools, monitor unusual behavior, harden browser configurations, enable memory protection, and invest in user education.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Winsage

April 27, 2025

New Security Warning After 1 Billion Windows Users Told Do Not Delete

Microsoft's recent security update for Windows has raised concerns among users due to the introduction of a new vulnerability. The update, intended to address the CVE-2025-21204 vulnerability, inadvertently created a folder named inetpub, which Microsoft claims is essential for user protection. Security researcher Kevin Beaumont has warned that this update has introduced a denial of service vulnerability that allows non-admin users to halt future Windows security updates. Microsoft has classified the issue as moderate in severity and suggested that deleting the inetpub symlink and retrying the update may resolve the problem. The report has been forwarded to the Windows security team for potential further action.

Tech Optimizer

April 18, 2025

Breached Identities and Infostealers: One of the Largest Ongoing Data Leak in History

Breached identities due to infostealer malware are a significant threat to corporate information security in 2024. Infostealers are a type of remote access trojan that exfiltrate sensitive data, including saved credentials, session cookies, browser history, crypto wallet information, screen captures, and host data. Infections often stem from downloading cracked software, malicious advertising, fake Windows updates, and repackaged games. Infostealers do not require local administrative privileges, making them easy to execute. Threat actors primarily aim to profit from breached bank accounts and crypto wallets, often bypassing multi-factor authentication by targeting session cookies. They also seek credentials for subscription services and corporate access. Research shows that 90% of breached companies had leaked corporate credentials in a stealer log, with 78% experiencing leaks within six months of a breach. In comparison, 76% of similar companies without breaches had experienced a corporate stealer log compromise. The investigation identified high-criticality credentials from various corporate applications, indicating that a single user often has access to multiple credentials. The rise of infostealer malware represents a broad threat, encompassing a wide range of sensitive data. Organizations are advised to implement strategies such as restricting download privileges, avoiding illegal content, disabling macros, and regularly updating software to mitigate risks associated with infostealer malware.