Malware Distributed Using Falcon Sensor Update Phishing Lure

July 29, 2024, 12:04 p.m.

Description

CrowdStrike Intelligence uncovered a phishing campaign impersonating CrowdStrike and distributing malicious files containing a Microsoft Installer (MSI) loader. The loader executes the commodity stealer 'Lumma Stealer' packed with 'CypherIt'. This campaign is likely linked to a previous 'Lumma Stealer' distribution effort leveraging advanced social engineering techniques. The malware evades detection by terminating if security products are detected, and employs multiple layers of obfuscation. It ultimately connects to command and control servers to exfiltrate stolen data.

External References

https://www.crowdstrike.com/blog/lumma-stealer-with-cypherit-phishing-lure/
https://otx.alienvault.com/pulse/66a77fc17b89a02fdef8ffee
Tags
phishing
stealer
lumma stealer
malspam
lumma
2024-07-29

Date

  • Created: July 29, 2024, 11:40 a.m.
  • Published: July 29, 2024, 11:40 a.m.
  • Modified: July 29, 2024, 12:04 p.m.

Indicators

  • e9cd2429628e3955dd1f7c714fbaa3e3b85bfaac0bc31582cf9c5232cb8fc352
  • e6b00ee585b008f110829df68c01a62d3bfac1ffe7d65298c8a4e4109b8a7319
  • d669078a7cdcf71fb3f2c077d43f7f9c9fdbdb9af6f4d454d23a718c6286302a
  • c3e50ca693f88678d1a6e05c870f605d18ad2ce5cfec6064b7b2fe81716d40b0
  • c1e27b2e7db4fba9f011317ff86b0d638fe720b945e933b286bb3cf6cdb60b6f
  • bb7a19963b422ed31b0b942eeaad7388421bc270a8513337f8ec043a84a4f11c
  • b5c0610bc01cfc3dafc9c976cb00fe7240430f0d03ec5e112a0b3f153f93b49a
  • aca54f9f5398342566e02470854aff48c53659be0c0cb83d3ce1fd05430375f8
  • a992cee863a4668698af92b4f9bd427d7a827996bf09824b89beff21578b49bd
  • 922b1f00115dfac831078bb5e5571640e95dbd0d6d4022186e5aa4165082c6b2
  • 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
  • 6ec39c6eee15805ef3098af7ae172517a279b042fc6c323ebf1aef8f8f2b21be
  • 66ad1c04ebb970f2494f2f30b45d6a83c2f3a2bb663565899f57bb5422851518
  • 6217436a326d1abcd78a838d60ab5de1fee8a62cda9f0d49116f9c36dc29d6fa
  • 56f2aedb86d26da157b178203cec09faff26e659f6f2be916597c9dd4825d69f
  • 50f9c384443a40d15a6e74960f1ba75dcf741eabdb5713bd2eba453a6aad81e5
  • 3ed535bbcd9d4980ec8bc60cd64804e9c9617b7d88723d3b05e6ad35821c3fe7
  • 2856b7d3948dfb5231056e52437257757839880732849c2e2a35de3103c64768
  • 280900902df7bb855b27614884b369e5e0da25ff22efacc59443a4f593ccd145
  • 1e06ef09d9e487fd54dbb70784898bff5c3ee25d87f468c9c5d0dfb8948fb45c
  • go.microsoft.crowdstrike-office365.com
  • warrantelespsz.shop
  • iiaiyitre.pa
  • crowdstrike-office365.com
  • unseaffarignsk.shop
  • upknittsoappz.shop
  • shepherdlyopzc.shop
  • outpointsozp.shop
  • liernessfornicsa.shop
  • indexterityszcoxp.shop
  • lariatedzugspd.shop
  • callosallsaospz.shop
Download all indicators here!

Attack Patterns

  • Lumma Stealer
  • T1027.002
  • T1059.003
  • T1204
  • T1041
  • T1566