Executive Summary

New Zealand's National Cyber Security Centre (NCSC) has undertaken an unprecedented public outreach campaign, directly emailing approximately 26,000 individuals to alert them that their devices may be infected with the Lumma Stealer malware. This large-scale notification, a first for the agency, addresses a significant campaign by the potent information-stealing malware. Lumma Stealer targets Microsoft Windows systems to covertly steal a wide range of sensitive data, including passwords, browser cookies, banking information, and cryptocurrency wallets. The NCSC has warned that some compromised credentials have already been linked to government and financial institution systems, posing a serious and immediate risk of financial fraud and identity theft to the affected individuals. The alert directs recipients to official resources for remediation and security hygiene.

Threat Overview

Lumma Stealer is a prominent Malware-as-a-Service (MaaS) info-stealer available for purchase on dark web forums. This business model allows even low-skilled cybercriminals to deploy sophisticated attacks. The primary goal of Lumma Stealer is data theft for financial gain.

• Infection Vector: While not specified in the articles, info-stealers like Lumma are typically distributed through phishing emails with malicious attachments, cracked software downloads, or malvertising campaigns that trick users into downloading a malicious file.
• Targeted Data: Once executed on a victim's Windows machine, the malware operates stealthily to collect:
  • Credentials stored in web browsers (e.g., Chrome, Firefox, Edge)
  • Session cookies, which can be used to bypass MFA
  • Credit card and banking information
  • Cryptocurrency wallet files and browser extension data
  • System information and credentials for other applications like FTP clients or VPNs.
• Exfiltration: The stolen data is packaged and exfiltrated to an attacker-controlled server, often using protocols like HTTP or via platforms like Telegram.

The NCSC's action was prompted by intelligence received from international and domestic partners, indicating a significant number of New Zealanders were compromised in this campaign.

Technical Analysis

Info-stealers like Lumma Stealer follow a well-defined attack pattern:

1. Delivery & Execution: The malware is delivered to the victim, often disguised as a legitimate document or installer. The user is tricked into executing it, aligning with T1204.002 - User Execution: Malicious File.
2. Defense Evasion: The malware often employs obfuscation and anti-analysis techniques to avoid detection by antivirus software and to hinder reverse engineering.
3. Credential Access: This is the primary function. The malware systematically targets local data stores for sensitive information.
   • T1555.003 - Credentials from Web Browsers: Extracts saved usernames and passwords.
   • T1539 - Steal Web Session Cookie: Steals active session cookies to hijack authenticated sessions.
   • T1555.005 - Credentials from Password Managers: Targets data from password manager browser extensions.
4. Collection: The stealer gathers data from various sources, including files related to cryptocurrency wallets (T1631 - Steal or Forge Authentication Certificates), and packages it for exfiltration.
5. Command & Control / Exfiltration: The collected data is sent to the C2 server. T1041 - Exfiltration Over C2 Channel is commonly used.

Impact Assessment

The impact on the 26,000 affected individuals is significant and multi-faceted:

• Financial Loss: Stolen banking credentials and cryptocurrency wallet data can lead to direct and immediate theft of funds.
• Identity Theft: The wealth of stolen personal information can be used to open fraudulent accounts, take out loans, or commit other forms of identity fraud.
• Account Takeover: Compromised passwords for email, social media, and other online services can lead to a complete takeover of a person's digital life.
• Corporate and Government Risk: As confirmed by the NCSC, stolen credentials for government and corporate systems can be used to pivot from a personal device into a secure organizational network, leading to a much larger breach.
• Further Attacks: The stolen information can be used to conduct highly targeted and convincing spear-phishing attacks against the victim or their contacts.

Detection & Response

For individuals who received the notification or suspect infection:

• Follow Official Guidance: Visit the NCSC's "Own Your Online" website as instructed in the official email (no-reply@comms.ncsc.govt.nz).
• Run Antivirus Scans: Use a reputable antivirus or anti-malware solution to scan the Windows device and remove any detected threats.
• Assume Compromise: Treat all passwords stored on the device as compromised. Immediately change the passwords for all critical accounts, starting with email, banking, and government services.
• Enable MFA: Enable multi-factor authentication on every account that supports it. This is the most effective way to prevent stolen passwords from being used.
• Monitor Accounts: Carefully monitor bank statements and online accounts for any suspicious activity.

Mitigation

Preventing info-stealer infections requires a combination of technical controls and user vigilance:

1. Endpoint Protection: Use a modern antivirus or Endpoint Detection and Response (EDR) solution with behavioral analysis capabilities to detect and block info-stealer activity. This is a core D3FEND File Analysis (D3-FA) technique.
2. Be Wary of Downloads: Do not download or run software from untrusted sources, including pirated software sites, torrents, or suspicious email attachments. This is a form of user training (M1017 - User Training).
3. Secure Password Management: Use a dedicated password manager instead of saving passwords in the browser. This centralizes and better protects credentials.
4. Email Security: Use email security gateways that can scan for malicious attachments and links to prevent the initial delivery of the malware.
5. Regularly Update Software: Keep your operating system, web browser, and other software up to date to protect against vulnerabilities that malware could exploit.