Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious links within seemingly legitimate payment requests. 

This tactic aims to deceive recipients into opening the invoice, leading to:

  • Potential data breaches
  • Financial fraud
  • Unauthorized access to sensitive information

Cybersecurity researchers at Perception Point recently discovered and analyzed sophisticated malware dubbed “LUMMA” malware.

Basically Sandboxing technology can identify and isolate malicious software with precision and accuracy, protecting the system from potentially harmful malware.

Invoice To Deliver LUMMA Malware

Cybersecurity analysts identified that the attacker, posing as a financial services company in this campaign, tricks the target with a fake invoice email. 

Fake Invoice (Source – Perception Point)

The user is urged to click “View & Download Invoice,” but the provided website is unavailable. To maintain legitimacy, a valid website link is included that redirects users after the failed button click.

The attacker dodges detection using a fake page and a real link. Security scans miss malicious payload hidden behind error pages and innocent URLs. 

Clicking the link redirects to harmful URLs triggering automatic download of malicious files. The attacker breached a legitimate site to host a redirect. 

Besides this, the website code reveals multiple redirects to dangerous URLs, like hxxps://robertoscaia[.]com/eco, downloading malware through the “.exe” file generator.

Website code (Source – Perception Point)
Website code (Source – Perception Point)

LUMMA is an InfoStealer malware that is written in C language and spreads through Malware-as-a-Service. 

The attack features three processes, and here below, we have mentioned those processes: –

  • 1741[.]exe
  • RegSvcs[.]exe
  • wmpnscfg[.]exe

Notably, the “1741[.]exe” process runs from the user’s temp folder, raising suspicions due to legitimate programs not using this location.

Processes ‘RegSvcs[.]exe’ and ‘wmpnscfg.exe’ from unusual folders suggest suspicious behavior linked to malware. 

Parent processes with PIDs 1388, 3428, and 1388 add complexity, aiming to hide malicious activities.

Increasingly sophisticated threats demand constant security system evaluation.

This incident highlights the need for advanced prevention, continuous monitoring, and a multi-layered approach to detecting and countering evolving cyber threats.

IOCs

Main object – 3827.exe

  • md5 0563076ebdeaa2989ec50da564afa2bb
  • sha1 ac14e7468619ed486bf6c3d3570bea2cee082fbc
  • sha256 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b

Dropped executable file

  • sha256 C:\Users\admin\AppData\Local\Temp\Protect544cd51a.dll dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

DNS requests

  • domain taretool[.]pw

Connections

  • ip 104[.]21[.]21[.]50
  • ip 224[.]0[.]0[.]252

HTTP/HTTPS requests:

  • url hxxp://taretool[.]pw/api
  • url hxxp://www[.]patrickforeilly[.]com/eco/
  • url hxxps://www[.]patrickforeilly[.]com/eco/
  • url hxxps://www[.]robertoscaia[.]com/eco/
  • url hxxps://fuelrescue[.]ie/eco/
  • url hxxps://www[.]7-zip[.]org/a/7zr[.]exe

This article first appeared in TechTarget, written by Guru Baran on November 30, 2023.