- Stealer Lumma malware hides in a False Premium Telegram site, which starts without user clicks
- Executable uses the obfuscation of cryptor to avoid most of the traditional antivirus scanning techniques
- Malware connects to real telegram servers while secretly sending stolen data to hidden domains
A malicious campaign is aimed at users through a fraudulent website of Telegram Premium, offering a dangerous variant of Lumma Stealer malware.
A Cyfirma report states that telegrampremium domain[.]The application closely mimics the legitimate brand Telegram Premium and houses a file called Start.exe.
This executable, built in C/C ++, is automatically downloaded when visiting the site, does not require user interaction.
A closer look at malware delivery
Once executed, collect confidential data, including credentials stored in the browser, the details of the cryptocurrency wallet and system information, increasing risks such as identity theft.
The false site works as a transmission discharge mechanism, a method where malicious useful loads are automatically delivered without explicit consent.
The high entropy of the executable suggests the use of a cryptor for obfuscation, which complicates the detection of traditional security suites.
Static analysis shows that malware imports numerous Windows API functions, which allows you to manipulate files, modify the record, access the clipboard, execute additional useful loads and evade detection.
Malware also begins DNS consultations through the DNS Public Server of Google, avoiding internal network controls.
It communicates with legitimate services such as Telegram and Steam Community for possible command and control purposes and with domains generated algorithmically to evade domain demolition.
These techniques allow malware to maintain communication channels while avoiding firewall detection and conventional monitoring tools.
The domain involved is recently registered, with accommodation characteristics that suggest that it was established for a short -term directed activity.
Malware eliminates multiple files disguised in the % Temp % directory, including the useful loads disguised as image files.
Some then rename and execute as obfuscated scripts, allowing malware to clean its traces.
Use functions such as sleep to delay execution and loadlibrayexw to stealthily load DLL, which makes analysts difficult to detect their presence during the initial inspection.
Staying safe from the threats of this nature requires a combination of technical measures and user awareness.
How to stay safe
- Organizations must implement detection and response solutions of final points capable of identifying suspicious behavior patterns associated with Lumma Stealer
- Block all access to malicious domains
- Enforce strict discharge controls to avoid payload delivery
- Multifactor authentication is essential to limit damage if credentials are committed
- Regular credential rotation helps reduce the risk of long -term access by attackers
- Continuous monitoring for suspicious activity allows faster detection and response to possible violations
