A recent investigation has brought to light the activities of threat actors utilizing Discord to deploy an information-stealing malware named Lumma Stealer. Lumma Stealer is available for purchase on underground forums with different plans offering varied levels of access, ranging from log views to traffic analysis tools. The most costly plan permits buyers to access the malware’s source code and grants reselling rights.
Diving into details
- Cybercriminals are exploiting Discord’s Content Delivery Network (CDN) for hosting and propagating this malware.
- Moreover, they are leveraging Discord’s API to produce bots that can remotely control the malware.
- Not only do these bots control the malware, but they also transmit stolen information to specific Discord channels.
Tactics and technical insights
Lumma Stealer operators use random or compromised Discord accounts to direct message potential victims.
- By enticing them with offers such as a $10 payment or a Discord Nitro boost in return for a short game review, they lure victims into a trap.
- Once a victim accedes to the request, they are prompted to download a malicious file containing Lumma Stealer.
- The file, when activated, links to a hostile domain and aims to pilfer cryptocurrency wallets and browser-related information from the user.
- Furthermore, new features added to Lumma Stealer enable it to load auxiliary files, which can lead to additional malware. The malware can now detect bots, likely referring to research environments or emulators, using AI and deep learning techniques.
The bottom line
The emergence of Lumma Stealer on Discord underscores the continuous evolution of cyber threats. It’s crucial to remain wary of unanticipated direct messages and to validate the sender’s identity before accessing any links or attachments. Users need to exercise caution while clicking links or downloading files from unverified sources.