The exercise of the Lumma Stealer info stealer has decreased over the previous couple of months after the identities of 5 alleged core group members had been uncovered.
Supplied on underground boards as malware-as-a-service (MaaS) since at the least August 2022, Lumma Stealer (often known as LummaC2 Stealer or LummaC2) has been one of the distinguished info stealers this yr.
The malware was focused by a regulation enforcement operation in Might this yr, however resumed exercise two months later, on rebuilt infrastructure.
From June to September, the menace actors behind Lumma Stealer had been extremely lively, however that modified final month, when Development Micro observed a pointy decline in command-and-control (C&C) infrastructure exercise related to the MaaS.
The drop, the cybersecurity agency notes, coincides with an underground doxxing marketing campaign focusing on the Lumma Stealer group, which can be tracked as Water Kurita and Storm-2477.
“Allegedly pushed by rivals, this marketing campaign has unveiled private and operational particulars of a number of supposed core members, resulting in important modifications in Lummastealer’s infrastructure and communications,” Development Micro notes.Commercial. Scroll to proceed studying.
As a part of the doxxing marketing campaign, the alleged group members’ private info, social media profiles, monetary info, and passwords had been printed on an internet site named ‘Lumma Rats’.
Two of the 5 people seem like the malware’s administrator and developer, whereas the remaining three have undisclosed roles within the operation.
“The disclosures included extremely delicate particulars resembling passport numbers, checking account info, e-mail addresses, and hyperlinks to numerous on-line profiles,” Development Micro says.
Based on the cybersecurity agency, somebody with insider data of the operation or entry to compromised accounts or databases seems to be behind the doxxing marketing campaign.
Following the disclosure, the group’s Telegram account was reportedly compromised, stopping the menace actors from speaking with their clients and resulting in the sharp decline within the infostealer’s exercise.
“It is very important notice that the accuracy of the doxed info and the precise involvement of the named people haven’t been independently verified. The marketing campaign may be motivated by private or aggressive grudges, and attribution ought to be handled with warning,” Development Micro notes.
Lumma Stealer’s sharp decline, nevertheless, resulted in cybercriminals in search of different options, with the Vidar and StealC info stealers rising as the highest substitute choices. The transition additionally affected the pay-per-install (PPI) service Amadey, which was used for Lumma Stealer distribution.
The shift additionally inspired different MaaS operators to aggressively market their companies and may result in “new, stealthier infostealer variants getting into the market,” Development Micro warns.
Associated: Widespread Infostealer Marketing campaign Concentrating on macOS Customers
Associated: Infostealers: The Silent Smash-and-Seize Driving Fashionable Cybercrime
Associated: Interpol Targets Infostealers: 20,000 IPs Taken Down, 32 Arrested, 216,000 Victims Notified
Associated: Counter Antivirus Service AVCheck Shut Down by Legislation Enforcement
