The infection chain for the Lumma Stealer variant begins with a lure page linking to a password-protected 7-zip archive, often disguised as cracked software. This archive contains a Nullsoft installer, leveraging AutoIt scripts and NSIS self-extracting archives for initial infection. A variant of the CypherIT crypter is used to drop a batch file, which then constructs a malicious AutoIt script containing embedded shell code. This script decrypts and decompresses the Lumma Stealer payload, injecting it into a suspended explorer.exe process via process hollowing, with some instances also delivering a cryptocurrency-stealing "clipper" payload.
Enter your details in the box below to receive an email each time we post a new issue of our newsletter.
