LummaStealer Abuses Windows Utility to Execute Remote Code Mimic as .mp4 File

LummaStealer, a sophisticated information-stealing malware distributed as Malware-as-a-Service (MaaS), has evolved with new evasion techniques that abuse legitimate Windows utilities.

Originally observed in 2022 and developed by Russian-speaking adversaries, this malware has demonstrated remarkable agility in evading detection while targeting a wide range of Windows systems.

Its primary function is to collect sensitive data including credentials, cookies, cryptocurrency wallets, and other personally identifiable information.

The threat actors behind LummaStealer employ various social engineering tactics to initiate infections, with phishing emails being the most prevalent delivery method.

These emails typically contain malicious links that direct users to fake CAPTCHA pages. Once users interact with these pages, they are socially engineered into copying and pasting malicious scripts into the Windows Run dialog box, triggering the deployment of the first-stage payload silently in the background.

Cybereason security researchers identified a new and concerning infection vector where LummaStealer abuses the legitimate mshta.exe Windows utility to execute remote hosted code that masquerades as an .mp4 multimedia file.

This technique, classified as T1218.005 under the MITRE ATT&CK framework, allows attackers to bypass application control solutions and browser security settings since the execution occurs outside the browser’s security context.

Upon analysis of the infection chain, researchers found that the malicious link directs the system to a specific directory containing what appears to be an MP4 file.

However, this file actually contains a combination of hexadecimal and obfuscated JavaScript code that the mshta.exe process can open and execute.

When a user opens this disguised MP4 file, the heavily obfuscated JavaScript code initiates a multi-stage infection process.

Deobfuscation Reveals Sophisticated Payload Structure

The core of LummaStealer’s evasion technique lies in its layered obfuscation approach. The initial JavaScript payload contains a variable named “Fygo” with the final version of the second-stage PowerShell payload, which is executed via the ‘eval’ JavaScript function.

This function doesn’t distinguish between JavaScript expressions, variables, or statements, allowing it to execute any code passed to it with the sender’s privileges.

A critical code snippet from the analyzed sample shows the deobfuscation mechanism:-

eval(Fygo.replace(/(..)./g, function(match, p1) {return String.fromCharCode(parseInt(p1, 16))}))

This code decodes the hex-encoded string stored in the Fygo variable by replacing each pair of hex digits with the corresponding character. Further analysis revealed that this decoded content contains PowerShell commands designed to bypass security controls.

When executed, the PowerShell script deploys a third stage that contains an AMSI bypass technique targeting the AmsiScanBuffer function.

The code searches for the signature “AmsiScanBuffer” in memory regions associated with clr.dll and overwrites it with null bytes, effectively disabling Microsoft’s anti-malware scanning interface. Figure 1 illustrates the attack flow from the fake CAPTCHA page to PowerShell execution.

The decrypted final payload includes a significant Base64-encoded .NET assembly that contains the actual LummaStealer malware.

This assembly is loaded directly into memory using reflection techniques, allowing it to operate without writing files to disk—a method that significantly reduces detection rates by avoiding traditional file-based security controls.

According to Cybereason’s research, this variant of LummaStealer is likely distributed through the “Professional” or “Corporate” subscription tiers of the malware service, which offer advanced features like non-resident loaders and enhanced evasion capabilities.

This underscores the growing sophistication of malware-as-a-service offerings in the cybercriminal ecosystem.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post LummaStealer Abuses Windows Utility to Execute Remote Code Mimic as .mp4 File appeared first on Cyber Security News.