[{"data":1,"prerenderedAt":55},["ShallowReactive",2],{"article-slug-lummasteler-leverages-seo-poisoning-and-dll-sideloading-for-data-theft":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":6,"summary":7,"full_report":8,"category":9,"severity":10,"tags":11,"extract_datetime":12,"pub_date":13,"reading_time_minutes":14,"createdAt":12,"updatedAt":12,"sources":15,"events":24},"79983ac1-dc73-4714-9c76-d43e8446afc3","lummasteler-leverages-seo-poisoning-and-dll-sideloading-for-data-theft","LummaStealer Weaponizes YubiKey Searches in Advanced SEO Poisoning Campaign","A new, highly evasive LummaStealer campaign has been uncovered, initiating its attack through SEO poisoning of search results for 'YubiKey Manager'. Victims are lured to a malicious site, 'yubico-app.com', to download a weaponized ISO file. Upon execution, the malware employs a multi-stage infection process starting with DLL sideloading via a legitimate but trojanized Yubico setup executable. It then uses PowerShell to disable Windows Defender protections before deploying a heavily obfuscated AutoIt loader. This loader uses process hollowing to inject the final LummaStealer payload directly into memory, evading file-based antivirus detection. The stealer gains SYSTEM privileges by duplicating winlogon tokens, allowing it to bypass security measures and exfiltrate credentials from over 24 browsers, various FTP/SSH clients, and KeePass password manager. The campaign further establishes long-term persistence through an RDP backdoor, a reverse tunnel, and the creation of a hidden scheduled task named 'NeuraLogix'.","## Executive Summary\n\nA sophisticated information-stealing campaign is actively distributing the **[LummaStealer](https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma)** malware by targeting users searching for the **[YubiKey Manager](https://www.yubico.com/products/yubikey-manager/)** software. The attack leverages SEO poisoning to direct victims to a malicious download site, initiating a complex, multi-stage infection chain designed to evade detection and maximize data theft. Key tactics include **[DLL Sideloading](https://attack.mitre.org/techniques/T1574/002/)**, in-memory payload execution via **[Process Hollowing](https://attack.mitre.org/techniques/T1055/012/)**, and privilege escalation to SYSTEM level. The ultimate goal is the widespread theft of sensitive credentials from browsers, FTP clients, and password managers, alongside the establishment of persistent backdoors for long-term access. This campaign represents a significant threat due to its advanced evasion techniques and the broad scope of targeted data.\n\n## Threat Overview\nThe attack begins when a user searches for legitimate software, in this case, **YubiKey Manager**. Through **[SEO poisoning](https://en.wikipedia.org/wiki/SEO_poisoning)**, attackers manipulate search engine results to promote their malicious download site, `yubico-app.com`. A user downloading from this site receives a malicious ISO image. Mounting and executing the contained `YUBICO_SETUP.EXE` triggers the primary infection.\n\nThe executable is vulnerable to DLL sideloading and loads a malicious `PYTHON311.DLL` placed alongside it. This DLL acts as the initial dropper and orchestrator. It first uses a Base64-encoded PowerShell command to add exclusions for `.exe`, `.com`, and the `Temp` directory in **[Windows Defender](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint)**, effectively blinding the default antivirus. Subsequently, it drops and executes a file named `Health.exe`, which is a disguised **[AutoIt](https://en.wikipedia.org/wiki/AutoIt)** interpreter. This interpreter runs an obfuscated script that unpacks and injects the final C++/Qt **LummaStealer** payload into memory using process hollowing, a technique that helps evade file-based detection signatures.\n\n## Technical Analysis\nThe attack chain demonstrates a deep understanding of offensive security techniques aimed at bypassing modern defenses. Attribution to **LummaStealer** is confirmed by the use of AutoIt scripts, `.TOP` C2 domains, specific sandbox evasion checks (for hostnames `test22`, `NfZtFbPfH`, `ELICZ`), and the creation of a scheduled task named `NeuraLogix`.\n\n### Initial Access and Execution\n1.  **Initial Access**: The user is lured via SEO-poisoned search results to `https[:]//yubico-app[.]com/yubikey-manager[.]php` ([`T1566.001 - Phishing: Spearphishing Link`](https://attack.mitre.org/techniques/T1566/001/)).\n2.  **User Execution**: The user downloads and mounts a malicious ISO file, executing `YUBICO_SETUP.EXE` ([`T1204.002 - User Execution: Malicious File`](https://attack.mitre.org/techniques/T1204/002/)).\n3.  **DLL Sideloading**: The legitimate `YUBICO_SETUP.EXE` loads the malicious `PYTHON311.DLL` from the same directory ([`T1574.002 - Hijack Execution Flow: DLL Sideloading`](https://attack.mitre.org/techniques/T1574/002/)).\n\n### Defense Evasion and Payload Injection\n4.  **Impair Defenses**: The malicious DLL executes a PowerShell command to add exclusions in Windows Defender, weakening endpoint security ([`T1562.001 - Impair Defenses: Disable or Modify Tools`](https://attack.mitre.org/techniques/T1562/001/)).\n5.  **Obfuscation & In-Memory Execution**: An obfuscated AutoIt script (`Health.exe`) uses RC4 and LZNT1 decompression to unpack the final payload. It then uses **Process Hollowing** ([`T1055.012`](https://attack.mitre.org/techniques/T1055/012/)) to inject the **LummaStealer** DLL into a new process, avoiding writing the final payload to disk.\n\n### Privilege Escalation and Data Theft\n6.  **Privilege Escalation**: The stealer payload calls `grab::GetLocalSystemProcessToken` to duplicate the access token from the `winlogon.exe` process, escalating its privileges to SYSTEM ([`T1134.002 - Access Token Manipulation: Create Process with Token`](https://attack.mitre.org/techniques/T1134/002/)). This elevated access is crucial for decrypting app-bound keys.\n7.  **Data Collection**: With SYSTEM privileges, the malware performs extensive data theft ([`T1555.003 - Credentials from Password Stores: Credentials from Web Browsers`](https://attack.mitre.org/techniques/T1555/003/)), targeting:\n    - 24 Chromium-based browsers and **Firefox**.\n    - FTP/SSH clients like **FileZilla**, **WinSCP**, and **PuTTY**.\n    - **KeePass** configuration files.\n8.  **Exfiltration**: Stolen data is archived into a `.zip` file and exfiltrated via an HTTP POST request to the C2 server, `Verifydl.top`, using a spoofed Firefox User-Agent ([`T1041 - Exfiltration Over C2 Channel`](https://attack.mitre.org/techniques/T1041/)).\n\n### Persistence and Anti-Forensics\n9.  **Persistence**: The malware establishes multiple forms of persistence:\n    - An RDP backdoor using `rdpwrap.dll` ([`T1021.001 - Remote Services: Remote Desktop Protocol`](https://attack.mitre.org/techniques/T1021/001/)).\n    - A reverse tunnel using **Plink**.\n    - A hidden scheduled task named `NeuraLogix` created via COM interfaces to evade simple detection ([`T1053.005 - Scheduled Task/Job: Scheduled Task`](https://attack.mitre.org/techniques/T1053/005/)).\n    - A `RunOnce` registry key for a secondary payload ([`T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder`](https://attack.mitre.org/techniques/T1547/001/)).\n10. **Cleanup**: A `RunOnce` registry key named `wextract_cleanup0` is used to delete temporary files upon the next user logon, hindering forensic analysis.\n\n## Impact Assessment\nThe primary impact is the large-scale theft of sensitive credentials, which can lead to financial fraud, identity theft, and unauthorized access to personal and corporate accounts. The theft of FTP, SSH, and password manager credentials poses a severe risk, as these can be used to pivot into corporate networks, access development infrastructure, or compromise other high-value assets. The installation of persistent backdoors like RDP and reverse tunnels transforms the initial credential theft into a long-term compromise, allowing attackers to maintain access, deploy additional malware (such as ransomware), and conduct further reconnaissance within the victim's network.\n\n## IOCs — Directly from Articles\n| Type | Value | Description |\n|---|---|---|\n| SHA256 | `e70d3ebc928d2c199d7a62b130421c398b2dc89db48645585d67927b471912c4` | Malicious sideloaded DLL (`PYTHON311.DLL`) |\n| SHA256 | `bcd08a8a103088ba2451a3a547725285a78894d71769494245c0aadf37e2e431` | Persistence executable (`f27f4ef8-e729-4b5d-b095-2a405cb3380d.exe`) |\n| Domain | `Verifydl.top` | Command and Control (C2) Server |\n| Domain | `yubico-app.com` | Malicious download domain |\n| URL | `https://yubico-app.com/yubikey-manager.php` | Malicious download URL |\n\n## Cyber Observables — Hunting Hints\nSecurity teams may want to hunt for the following patterns, which could indicate related activity:\n\n| Type | Value | Description |\n|---|---|---|\n| Process Name | `Health.exe` | Disguised AutoIt interpreter used to run the stealer. |\n| Process Name | `YUBICO_SETUP.EXE` | Legitimate process used for sideloading; monitor for suspicious child processes like `powershell.exe`. |\n| Command Line Pattern | `powershell.exe -enc` | Monitor for PowerShell executing encoded commands, especially if spawned by unexpected parent processes. |\n| Registry Key | `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce` | Look for suspicious values, specifically containing `wextract_cleanup0`. |\n| Scheduled Task | `NeuraLogix` | Hunt for the creation or existence of a scheduled task with this name. |\n| Network Connection | `*.top` | Block or alert on connections to `.top` TLDs from non-browser processes. |\n| File Name | `PYTHON311.DLL` | Search for this file in directories containing `YUBICO_SETUP.EXE` or other legitimate executables. |\n\n## Detection & Response\nEffective detection requires a multi-layered approach focusing on behaviors rather than static signatures.\n\n- **Endpoint Detection and Response (EDR)**: Deploy EDR solutions capable of detecting **DLL Sideloading** ([`T1574.002`](https://attack.mitre.org/techniques/T1574/002/)) and **Process Hollowing** ([`T1055.012`](https://attack.mitre.org/techniques/T1055/012/)). EDR rules should alert on `YUBICO_SETUP.EXE` (or other legitimate software) spawning `powershell.exe` or making outbound network connections. For detection, consider implementing D3FEND's **[Process Analysis](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis)**.\n- **PowerShell Logging**: Enable enhanced PowerShell logging (Module, Script Block, and Transcription logs) to capture the full content of encoded commands used for defense evasion. This can help detect the addition of Windows Defender exclusions.\n- **Network Monitoring**: Monitor and alert on network traffic to known malicious TLDs like `.top`. Inspect HTTP/S traffic for connections matching the C2 domains. D3FEND's **[Network Traffic Analysis](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis)** is a key defensive technique here.\n- **Persistence Mechanisms**: Regularly audit persistence locations, including scheduled tasks and Run/RunOnce registry keys. Use tools to scan for hidden scheduled tasks created via COM interfaces.\n\n## Mitigation\n- **User Training** ([`M1017`](https://attack.mitre.org/mitigations/M1017/)): Educate users about the risks of SEO poisoning and the importance of downloading software only from official vendor websites. Verify URLs before clicking.\n- **Application Control** ([`M1038`](https://attack.mitre.org/mitigations/M1038/)): Implement application allowlisting policies to prevent the execution of unauthorized software like `Health.exe`. This is a powerful defense against multi-stage malware. This can be mapped to D3FEND's **[Executable Allowlisting](https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting)**.\n- **Endpoint Protection** ([`M1049`](https://attack.mitre.org/mitigations/M1049/)): Ensure antivirus and EDR solutions are enabled and configured to detect behavioral patterns, not just file signatures. Enable attack surface reduction (ASR) rules to block obfuscated scripts and suspicious process behaviors.\n- **Restrict PowerShell**: If not required for administrative tasks, use PowerShell Constrained Language Mode or restrict its execution via Group Policy to prevent its abuse for defense evasion.\n- **Multi-Factor Authentication (MFA)** ([`M1032`](https://attack.mitre.org/mitigations/M1032/)): Enforce MFA on all external and critical internal services to mitigate the impact of stolen credentials.",[],"medium",[],"2026-04-22T15:00:00.000Z","2026-04-22",7,[16],{"url":17,"title":18,"date":19,"friendly_name":20,"linkedin_url":21,"website":22,"x_url":23},"https://unit42.paloaltonetworks.com/lummastealer-via-malicious-search-results/","LummaStealer Delivered Via Malicious Search Results","2026-04-21","Unit 42","https://www.linkedin.com/showcase/unit-42/","unit42.paloaltonetworks.com","https://x.com/Unit42_Intel",[25,28,31,34,37,40,43,46,49,52],{"datetime":26,"summary":27},"2026-04-21T00:00:00Z","User searches for YubiKey Manager and is led to a malicious site via SEO poisoning.",{"datetime":29,"summary":30},"2026-04-21T00:01:00Z","User downloads and mounts a malicious ISO file, executing 'YUBICO_SETUP.EXE'.",{"datetime":32,"summary":33},"2026-04-21T00:01:01Z","The executable sideloads a malicious 'PYTHON311.DLL'.",{"datetime":35,"summary":36},"2026-04-21T00:01:02Z","PowerShell is launched to add Windows Defender exclusions for '.exe', '.com', and the Temp directory.",{"datetime":38,"summary":39},"2026-04-21T00:01:03Z","The masqueraded AutoIt interpreter 'Health.exe' is dropped and executed.",{"datetime":41,"summary":42},"2026-04-21T00:01:04Z","The AutoIt script unpacks and injects the LummaStealer payload into memory using Process Hollowing.",{"datetime":44,"summary":45},"2026-04-21T00:01:05Z","LummaStealer duplicates the winlogon token to gain SYSTEM privileges.",{"datetime":47,"summary":48},"2026-04-21T00:01:10Z","The malware steals credentials from browsers, FTP clients, and KeePass, then takes a screenshot.",{"datetime":50,"summary":51},"2026-04-21T00:01:15Z","Stolen data is archived and exfiltrated via HTTP POST to the C2 server 'verifydl.top'.",{"datetime":53,"summary":54},"2026-04-21T00:01:20Z","Persistence is established via a RunOnce registry key and a scheduled task named 'NeuraLogix'.",1776956869300]