A sophisticated phishing campaign is exploiting the popularity of Telegram Premium to distribute a dangerous variant of the Lumma Stealer malware. Security researchers at Cyfirma have identified a fraudulent website, telegrampremium[.]app, which mimics the legitimate Telegram Premium signup page. Upon visiting the site, users unwittingly download and execute the start.exe file, a C/C++ executable, without any interaction required. This constitutes a drive-by download attack, a highly effective method of delivering malware.
The Lumma Stealer is designed to exfiltrate sensitive user data, including stored browser credentials, cryptocurrency wallet details, and comprehensive system information. This stolen information significantly increases the risk of identity theft and financial loss for victims. The malware’s high entropy suggests the use of sophisticated encryption techniques to obfuscate its code, making detection by standard antivirus software more challenging.
Analysis reveals that the malware interacts extensively with the Windows operating system, utilizing numerous Windows API functions to manipulate files, modify the registry, access the clipboard, and execute additional malicious payloads. Furthermore, its use of Google’s public DNS server for queries bypasses internal network security controls. Communication with legitimate services like Telegram and Steam, combined with algorithmically generated domains, provides multiple communication channels that are difficult to track and shut down, allowing the malware to remain active and evade detection.
The temporary nature of the malicious website and its hosting characteristics indicate a targeted, short-lived campaign. The malware employs further evasion techniques by dropping multiple disguised files, including encrypted payloads pretending to be image files, in the user’s temporary directory. These files are later renamed and executed as obfuscated scripts, allowing the malware to erase its traces effectively.
The use of functions like Sleep to delay execution and LoadLibraryExW to load DLLs stealthily contributes to its ability to remain undetected. Effective protection against such threats requires a multi-layered approach encompassing robust security software, regular updates, and a high level of user awareness regarding suspicious websites and unsolicited downloads.
