Fake Browser Updates delivering BitRAT and Lumma Stealer

June 3, 2024, 11:48 a.m.

Description

This report details a malicious campaign where adversaries used fake browser update prompts to lure victims into downloading and executing malware. The infection chain begins with injected malicious JavaScript code on compromised websites that redirect users to pages mimicking legitimate browser update sites. These fake update sites host ZIP archives containing PowerShell scripts responsible for downloading and executing BitRAT and Lumma Stealer malware. The report provides in-depth analysis of the attack flow, payload characteristics, encryption routines, and command-and-control infrastructure leveraged by these malware families.

External References

https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer
https://otx.alienvault.com/pulse/665da85a858d2c2f4b793fe2
Tags
lumma stealer
2024-06-03
bitrat

Date

  • Created: June 3, 2024, 11:26 a.m.
  • Published: June 3, 2024, 11:26 a.m.
  • Modified: June 3, 2024, 11:48 a.m.

Indicators

  • 77.221.151.31
  • http://chatgpt-app.cloud/q1Vz6N
  • evolutionautomation.com
  • chatgpt-app.cloud
  • accountasifkwosov.shop
  • tolerateilusidjukl.shop
  • shatterbreathepsw.shop
  • shortsvelventysjo.shop
  • productivelookewr.shop
  • liabilitynighstjsko.shop
  • incredibleextedwj.shop
  • demonstationfukewko.shop
  • alcojoldwograpciw.shop
Download all indicators here!

Attack Patterns

  • BitRAT
  • Lumma Stealer