- Lumma Stealer Malware is hidden in a false premium telegram site, launch without user clicks
- Executable uses the obscure of the cryptor to completely bypass traditional antivirus scanning techniques
- Malware connects to real telegram servers while secretly sending stolen data in hidden fields
A malicious campaign targets users via a fraudulent premium telegram website, offering a dangerous variant of Lumma Stealer’s malware.
A cyfirma report says domain telegrampmium[.]The application closely imitates the legitimate premium telegram brand and hosts a file called Start.exe.
This executable, integrated into C / C ++, is automatically downloaded when visiting the site, requiring any user interaction.
A more in -depth examination of the delivery of malicious software
Once executed, it collects sensitive data, including identification information stored by the browser, details of the cryptocurrency portfolio and system information, growing risk such as identity theft.
The false site works as a download mechanism at the wheel, a method where the malicious useful loads are delivered automatically without explicit consent.
The high entropy of the executable suggests the use of a cryptor for obscure, which complicates detection by traditional security suites.
Static analysis shows that malware imports many functions of the Windows API, allowing it to handle files, modify the register, access the clipboard, run additional useful charges and avoid detection.
Malware also initiates DNS requests via the Google Public DNS server, bypassing internal network controls.
He communicates with legitimate services such as Telegram and Steam Community for possible command and control purposes and with areas generated by algorithm to escape domain withdrawals.
These techniques allow malicious software to maintain communication channels while avoiding detection by firewalls and conventional surveillance tools.
The area involved is newly recorded, the accommodation characteristics suggest that it has been configured for a short -term targeted activity.
Malware deletes several files disguised in the% Temp% directory, including useful encrypted loads pretending for image files.
Some are then renamed and executed as dark scripts, allowing malicious software to clean its traces.
He uses functions such as sleep to delay the execution and the loader of loading to furtively load the DLLs, which makes analysts more difficult to detect his presence during the initial inspection.
Staying out of threats of this nature requires a combination of technical measures and user awareness.
How to stay safe
- Organizations must implement detection and response solutions of termination points capable of identifying suspicious behavior models associated with Lumma Stealer
- Block any access to malicious areas
- Apply strict download controls to prevent the delivery of the payload
- Multi-faters’ authentication is essential to limit damage if identification information is compromised
- The regular rotation of identification information helps reduce the risk of long -term access by attackers
- Continuous monitoring of suspicious activity allows faster detection and response to potential violations
