"A core part of the resurgence is the use of CastleLoader, a separate piece of malware that's installed initially. It runs solely in memory, making it much harder to detect than malware that resides on a hard drive. Its code is heavily obfuscated, making it hard to spot its malice even when malware scanners can see it. CastleLoader also provides a flexible and full-featured command-and-control communication mechanism that users can customize to meet their specific needs."
"CastleLoader shares some of Lumma's recently rebuilt infrastructure, an indication that the operators are working together or at least coordinating their activities. In other cases, Lumma relies on legitimate infrastructure-mostly from the content delivery networks Steam Workshop and Discord shared files-to be installed. The use of trusted platforms helps lower targets' suspicions. In either case, once the loader is executed, it surreptitiously burrows into the infected machine and, after lowering defenses, installs its second payload: Lumma."
CastleLoader is an in-memory, heavily obfuscated loader that evades detection and provides customizable command-and-control communications. CastleLoader either shares rebuilt infrastructure with Lumma or leverages legitimate platforms like Steam Workshop and Discord to lower suspicion during delivery. Once executed, the loader disables defenses, burrows into the system, and installs Lumma as a second-stage payload. Lumma harvests a wide range of sensitive data, including browser-saved credentials, personal documents, financial records, secret keys and cloud credentials, 2FA backups, server passwords, and cryptocurrency wallets and extensions. Simple user actions and trusted delivery channels make compromise easy and effective.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]