Lumma Stealer Malware Returns with Dangerous New Trick to Hijack Google Accounts
A sophisticated information-stealing malware known as Lumma Stealer has re-emerged with a dangerous new capability, posing a significant threat to online security. Despite previous law enforcement actions aimed at disrupting its operations, the cybercrime group behind this malware has not only returned but has enhanced its tool to be more persistent and invasive than ever before.
This threat operates on a Malware-as-a-Service (MaaS) model, where the developers rent out their malicious software to other criminals, creating a widespread and decentralized network of attacks. The latest version of Lumma Stealer introduces a groundbreaking technique that sets it apart from its competitors.
A New Method for Persistent Google Account Access
The most alarming new feature is the malware’s ability to restore expired Google authentication cookies. In the past, when a user’s session cookies were stolen, they would eventually expire, logging the attacker out of the compromised account. This provided a limited window of opportunity for the criminals.
However, the new version of Lumma can leverage a specific, undocumented Google OAuth endpoint to regenerate these cookies. By doing so, attackers can maintain access to a victim’s Google account indefinitely, even long after the initial infection. This functionality effectively bypasses standard security measures that rely on session timeouts, giving attackers a persistent key to a victim’s digital life, including Gmail, Google Drive, and other connected services.
What Lumma Stealer Targets
Lumma is an “infostealer,” meaning its primary goal is to collect and exfiltrate sensitive data from an infected computer. Its main targets include:
- Cryptocurrency Wallets: It specifically hunts for data related to popular EVM-based wallets like MetaMask, Trust Wallet, and Binance Chain Wallet.
- Browser Data: The malware steals a wide range of information from web browsers, including saved passwords, browsing history, and autocomplete data.
- Two-Factor Authentication (2FA) Extensions: It targets browser extensions used for 2FA, potentially undermining this critical security layer.
- System Information: It collects detailed information about the victim’s computer, which can be used for further attacks.
How the Malware Spreads
The distribution methods for Lumma Stealer are designed to trick unsuspecting users. The most common infection vector is through malicious links shared in the descriptions of YouTube videos. These videos often promise free access to pirated software, game cheats, or “cracked” applications. When a user clicks the link and runs the downloaded file, the malware is installed silently in the background.
The criminals behind Lumma run a professional operation, using a Telegram channel to advertise their malware, provide customer support to other criminals, and offer various subscription tiers ranging from $250 to $1,000 per month.
How to Protect Yourself from Infostealer Threats
Given the sophisticated nature of threats like Lumma Stealer, proactive security measures are essential. Here are actionable steps you can take to protect your digital accounts and personal information:
Be Skeptical of “Too Good to Be True” Offers: Avoid downloading pirated software, game cracks, or activators. These are among the most common ways malware is distributed. Stick to official sources for all your software needs.
Scrutinize Links and Downloads: Be cautious of links in emails, social media posts, and video descriptions, especially if they lead to direct downloads. Verify the legitimacy of a source before clicking.
Use a Reputable Security Suite: Install and maintain a high-quality antivirus and anti-malware program. Ensure its real-time protection features are enabled to detect and block threats before they can execute.
Regularly Review Account Activity: Periodically check the security settings of your critical accounts, like Google. Review logged-in devices and active sessions. If you see any device or location you don’t recognize, immediately log it out and change your password.
Keep Everything Updated: Ensure your operating system, web browsers, and all other software are kept up to date. Software updates frequently contain critical security patches that protect against known vulnerabilities.
The return of Lumma Stealer with its advanced capabilities is a stark reminder that cybercriminals are constantly innovating. Staying informed and practicing strong cybersecurity hygiene is the best defense against these evolving threats.
Source: https://www.bleepingcomputer.com/news/security/lumma-infostealer-malware-returns-after-law-enforcement-disruption/
