Date: 01/31/2025
Severity: High
Summary
Our team investigated a campaign leveraging GitHub’s release infrastructure to distribute Lumma Stealer and other malware, including SectopRAT, Vidar, and Cobeacon. Attackers used GitHub for initial access, tricking users into downloading malicious files from seemingly secure URLs. These files exfiltrated sensitive data, connected to external C&C servers, and executed commands to evade detection. Lumma Stealer and other payloads deployed additional tools, created multiple directories, and used PowerShell scripts and shell commands for persistence and data exfiltration.
Indicators of Compromise (IOC) List
Domains/Urls : | lumdukekiy.shop ikores.sbs https://klipcatepiu0.shop/int_clp_sha.txt |
IP Address : | 91.202.233.18 5.75.212.196 |
Hash : |
afdc1a1e1e934f18be28465315704a12b2cd43c186fbee94f7464392849a5ad0
e8452a65a452abdb4b2e629f767a038e0792e6e2393fb91bf17b27a0ce28c936
25cfd6e6a9544990093566d5ea9d7205a60599bfda8c0f4d59fca31e58a7640b
51fbc196175f4fb9f38d843ee53710cde943e5caf1b0552624c7b65e6c231f7e
de6fcdf58b22a51d26eacb0e2c992d9a894c1894b3c8d70f4db80044dacb7430
4af3898ba3cf8b420ea1e6c5ce7cdca7775a4c9b78f67b493a9c73465432f1d3
73A017FC2F9C559D333A272598FC10E1E7F25E8C6AFEABBD431C2ACAF8993A8E
DD895AA929CD14684C802ADAD1386ADD63E236EEA179C75DAA658C1EF10868E5
af66c194d30a1c7c48c3fdf9d7142951ff4e6ba26cd6321210f7c4e9350ced22
6ec86b4e200144084e07407200a5294985054bdaddb3d6c56358fc0657e48157
843269c61515c42f248cb855e5466c82e1f72182b833b1d5438999efa2c9384d
c93dfe641543c3466edf56a9bed92d6ad7bb6f179c6041ed69d103b05e44828b
45a73c9260c41aee9122de28dea86944e1f2d447de7e66bff0d64bc895780572
938e35827cd9a8b63dcbb60a0bcab4f1f4eb84e3a8d644f061327183b871f6eb
2f8275484d80fe3ce73d30116c1cc0019f473f675e9c78cc4bc3fb2193a8b14d
6ec86b4e200144084e07407200a5294985054bdaddb3d6c56358fc0657e48157
E096DB5BD644B5321EC5D6DBA709B4D8DBC4A1C22D7D2F1261E21E17B0279202
f02e6df17859052ff7a41ae570796c2fa85ec6ed560342f22f330087286a519f |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains/Urls : | userdomainname like "ikores.sbs" or url like "ikores.sbs" or userdomainname like "https://klipcatepiu0.shop/int_clp_sha.txt" or url like "https://klipcatepiu0.shop/int_clp_sha.txt" or userdomainname like "lumdukekiy.shop" or url like "lumdukekiy.shop" |
IP Address : | dstipaddress IN ("5.75.212.196","91.202.233.18") or ipaddress IN ("5.75.212.196","91.202.233.18") or publicipaddress IN ("5.75.212.196","91.202.233.18") or srcipaddress IN ("5.75.212.196","91.202.233.18") |
Hash : |
sha256hash IN ("de6fcdf58b22a51d26eacb0e2c992d9a894c1894b3c8d70f4db80044dacb7430","843269c61515c42f248cb855e5466c82e1f72182b833b1d5438999efa2c9384d","4af3898ba3cf8b420ea1e6c5ce7cdca7775a4c9b78f67b493a9c73465432f1d3","e8452a65a452abdb4b2e629f767a038e0792e6e2393fb91bf17b27a0ce28c936","6ec86b4e200144084e07407200a5294985054bdaddb3d6c56358fc0657e48157","afdc1a1e1e934f18be28465315704a12b2cd43c186fbee94f7464392849a5ad0","51fbc196175f4fb9f38d843ee53710cde943e5caf1b0552624c7b65e6c231f7e","c93dfe641543c3466edf56a9bed92d6ad7bb6f179c6041ed69d103b05e44828b","25cfd6e6a9544990093566d5ea9d7205a60599bfda8c0f4d59fca31e58a7640b","af66c194d30a1c7c48c3fdf9d7142951ff4e6ba26cd6321210f7c4e9350ced22","2f8275484d80fe3ce73d30116c1cc0019f473f675e9c78cc4bc3fb2193a8b14d","f02e6df17859052ff7a41ae570796c2fa85ec6ed560342f22f330087286a519f","73A017FC2F9C559D333A272598FC10E1E7F25E8C6AFEABBD431C2ACAF8993A8E","DD895AA929CD14684C802ADAD1386ADD63E236EEA179C75DAA658C1EF10868E5","45a73c9260c41aee9122de28dea86944e1f2d447de7e66bff0d64bc895780572","938e35827cd9a8b63dcbb60a0bcab4f1f4eb84e3a8d644f061327183b871f6eb") |
Reference:
https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html