Microsoft raises posse to target dangerous Lumma malware
Microsoft, along with a consortium of partners, has seized and disrupted a significant part of the Lumma malware-as-a-service network used to steal data and funds
A broad coalition of technology partners and law enforcement agencies, spearheaded by Microsoft’s Digital Crimes Unit (DCU), has disrupted the dangerous Lumma Stealer malware-as-a-service (MaaS) operation, which played a key role in the arsenals of multiple cyber criminal gangs, including ransomware crews.
Using a court order granted in the US District Court of the Northern District of Georgia earlier in May, the DCU and its posse seized and took down approximately 2,300 malicious domains that formed the core of the Lumma operation.
“Lumma steals passwords, credit cards, bank accounts and cryptocurrency wallets, and has enabled criminals to hold schools to ransom, empty bank accounts and disrupt critical services,” said DCU assistant general counsel, Steven Masada.
At the same time, the US Department of Justice (DoJ) seized the MaaS central command structure and targeted the underground marketplaces where access was sold, while elsewhere, Europol’s European Crime Centre (EC3) and Japan’s Cybercrime Control Centre (JC3) went after locally hosted infrastructure.
Europol EC3 head Edvardas Šileris, said: “This operation is a clear example of how public-private partnerships are transforming the fight against cyber crime. By combining Europol’s coordination capabilities with Microsoft’s technical insights, a vast criminal infrastructure has been disrupted. Cyber criminals thrive on fragmentation – but together, we are stronger.”
In a blog post detailing the takedown, Masada said that over a two-month period, Microsoft had identified more than 394,000 Windows computers that had been infected by Lumma. These machines have now been “freed”, with communications between Lumma and its victims severed.
This joint action is designed to slow the speed at which [threat] actors can launch their attacks, minimise the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream Steven Masada, Microsoft Digital Crimes Unit
At the same time, about 1,300 domains seized by or transferred to Microsoft – including 300 actioned by Europol – are now redirecting to Microsoft-operated sinkholes.
“This will allow Microsoft’s DCU to provide actionable intelligence to continue to harden the security of the company’s services and help protect online users,” said Masada. “These insights will also assist public- and private-sector partners as they continue to track, investigate and remediate this threat.
“This joint action is designed to slow the speed at which these actors can launch their attacks, minimise the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream.”
Lumma chameleon
The Lumma Stealer MaaS first appeared on the underground scene about three years ago and has been under near-continuous development since then.
Based out of Russia, and run by a primary developer who goes by the handle “Shamel”, Lumma offers four tiers of service, starting from $250 (£186) and rising to an eye-popping $20,000, for which buyers receive access to Lumma’s style and panel source code, the source code for plugins, and the right to act as a reseller.
When deployed, the goal is typically to monetise stolen data or conduct further exploitation. Like a chameleon, it is difficult to spot and can slip by many security defences unseen. To lure its victims, Lumma spoofs trusted brands – including Microsoft – and spreads through phishing and malvertising.
As such, it has become something of a go-to tool for many, and is known to have been used by many of the world’s more notorious cyber crime collectives, including ransomware gangs. Its customers likely included, at one time, Scattered Spider, the group thought to be behind the ransomware attack on Marks & Spencer in the UK, although there is no public evidence to suggest it was used in this incident.
Blake Darché, head of Cloudforce One at Cloudflare, which provided key support during the takedown, said: “Lumma goes into your web browser and harvests every single piece of information on your computer that could be used to access either dollars or accounts – with the victim profile being everyone, anywhere, at any time.
“The threat actors behind the malware target hundreds of victims daily, grabbing anything they can get their hands on. This disruption worked to fully set back their operations by days, taking down a significant number of domain names and ultimately blocking their ability to make money by committing cyber crime.
“While this effort threw a sizeable wrench into the largest global infostealer’s infrastructure, like any threat actor, those behind Lumma will shift tactics and reemerge to bring their campaign back online,” said Darché.
Jonathan is a tech enthusiast and the mind behind Tech AI Verse. With a passion for artificial intelligence, consumer tech, and emerging innovations, he deliver clear, insightful content to keep readers informed. From cutting-edge gadgets to AI advancements and cryptocurrency trends, Jonathan breaks down complex topics to make technology accessible to all.
