Key Points

• New Scattered Spider infrastructure discovered on Hostinger
• Silent Push content scans confirm the re-use of 2022 infrastructure to propagate new attacks
• Malicious domains parked prior to weaponization, possibly to avoid reputation degradation
• Silent Push HTML header and favicon scans used to pinpoint phishing kits across hundreds of new domains

Background

Scattered Spider are a financially motivated threat group who has been active since the second quarter of 2022.

The group is known for launching sophisticated social engineering attacks designed to obtain login credentials and MFA tokens from employees.

Scattered Spider have been responsible for hundreds of incidents in the past year, two of which generated a large amount of media interested and caused significant financial and reputational harm for the organizations involved: the Twilio/Okta breach of August 2022 and the MGM breach of September 2023.

Attacks commonly commence with sustained SMS phishing messages sent to the mobile phones of both current and former employees of the targeted organization.

Infrastructure and attack vectors

Scattered Spider phishing pages are hosted on short-lived domains that are created and hosted using bitcoin-friendly services, featuring typosquats of the targeted brand or the exact brand name followed or preceded by keywords such as ‘okta’, ‘help’, ‘sso’, and ‘servicedesk’.

The use of US registrars and providers, US carrier networks for voice and SMS phishing campaigns, the clear North American accent reported by the victims and the modus operandi of targeting US enterprises, indicates that Scattered Spider is focused on targets within the USA.

Throughout last year’s attacks, Scattered Spider used a small number of services to create and host malicious infrastructure:

2022 registrars:

• Porkbun
• NAMECHEAP

2022 ASNs

• DIGITALOCEAN (AS14061)
• AS-CHOOPA (AS20473)
• AKAMAI-LINODE-AP (AS63949)
• NAMECHEAP-NET (AS22612)

Data is exfiltrated once the threat actor obtains login credentials that provide an opportunity for lateral or elevated network movement, via a combination of techniques including a signed driver that terminates security processes, and VM admin console access via Azure Serial Console.

Front-end infrastructure shares the same code, e.g. the same favicon, ssdeep data and HTML title (‘Sign In’). The threat actor performs a call to the C2 server to obtain the target company’s name and logo, and the kit calls two legitimate Okta scripts.

Motivation

Scattered Spider uses stolen data to propagate secondary attacks across the user base of the affected company, and its supply chain operation.

This, in part, explains why the group focuses their efforts on organizations with a large amount of downstream users that aren’t directly attributed with the target organization: telecommunications providers, software and technology companies, Business Process Outsourcing (BPO) providers, and cryptocurrency platforms.

Using Silent Push data to uncover new infrastructure deployed via Hostinger

Over the past 90 days, Threat Analysts working with Silent Push first-party data have observed an increase in the number of domains created by Scattered Spider targeting organizations in the financial, insurance, investment, food ordering and delivery, retail and entertainment sectors.

Silent Push offers a monitoring feature that allows analysts to setup rules for domains or IPs that triggers an alert when a specific DNS change is detected. Silent Push analysts were researching Scattered Spider’s 2022 Twilio attack, and noticed new domains appearing in the results set.

Silent Push logs and tracks registrar and ASN information, including hosting changes, for every domain on the IPv4 scope. A large number of the new domains were registered through, and hosted on, providers not previously used by the group, indicating a notable expansion of infrastructure.

Identifying and tracking a new phishing kit

Whilst scanning for new domains, we discovered that two legacy domains which were created and used by the threat actor during 2022, t-mobile-okta[.]com and rogers-rci[.]com, had recently been re-registered via Hostinger on October 1 2023 and October 16 2023 respectively – a new registrar that Scattered Spider are not known for using (usually the group registers their infrastructure via Porkbun and NAMECHEAP).

It’s not uncommon for malicious domains to be re-registered – organizations acquire previously weaponized domains to analyze traffic or prevent them being re-used by threat actors – but we discovered that t-mobile-okta[.]com featured an active Okta-themed phishing page, one week after creation.

Scattered Spider are known to use a variety of phishing kits, including ones available on underground forums. A quick search through the Silent Push hash content database established that the above domain contains a new phishing kit that’s deployed on all Scattered Spider domains registered since September 20223 (neither the Silent Push database nor third-party URL scanners such as urlscan.io show any matches pre-September).

Domain scans revealed that the phishing page was up for a little over a day – a common characteristic of most Scattered Spider domains.

Historical scan results also revealed that the domain was aged, given that it displayed the Hostinger parked paged in the days prior to the attack. The threat actor likely uses this technique to avoid reputation degradation across global scoring systems.

To recap:

1. We discovered re-registered Scattered Spider phishing domains
2. One of them hosted a phishing kit with content resembling the type found in previous attacks
3. The TTL of the phishing page was in line with historical activity
4. The Registrar was DIFFERENT than previously seen from Scattered Spider (Hostinger in 2023 vs Namecheap or Porkbun in 2022)
5. The domains were aged, possibly after re-registration

Validating malicious domains using the Silent Push Domain Search

To confirm our hypothesis, we searched the Silent Push database for any domains created and hosted on Hostinger since September 2023, that matched Scattered Spider naming conventions, using custom regex parameters on the Silent Push Domain Search Query.

Regex examples:

• ^([^.]{1,}(-|)ss(o|p)|ss(o|p)(-|)[^.]{1,})\.(com|co|net|us|help)$
• ^([^.]{1,}(-|)okta|okta(-|)[^.]{1,})\.(com|co|net|us|help)$
• ^([^.]{1,}(-|)h(e|1)lp(|desk|now)|h(e|1)lp(|desk|now)(-|)[^.]{1,})\.(com|co|net|us|help)$
• ^([^.]{1,}(-|)my|my(-|)[^.]{1,})\.(com|co|net|us|help)$

Working with false positives

In the above syntax, we included the hyphen character as optional, given that Scattered Spider doesn’t always enforce a hyphen between the brand name and the keyword. This results in a broader results set that may return a higher number of false positives.

Enforcing the hyphen as mandatory between the keyword and the brand name returns a smaller amount of domain that whilst not covering the maximum amount of infrastructure, returns a fewer false positives.

Confirming the presence of malicious infrastructure

The above search returned hundreds of suspicious domains. We used some query parameters available through the Silent Push API and our custom query language, SPQL, to interrogate the dataset and discovered that a large number of the returned domains featured matching content and scripts, indicating the presence of a common phishing kit.

We accessed these domains using a browser and confirmed it is highly likely that they were created and launched by Scattered Spider – they all contained an Okta phishing page targeting commercial sectors that Scattered Spider have historically gone after, including Financial, Telecommunications, Software/Cloud Communications Platforms and CMR.

Here’s a sample of what we discovered:

• 53help[.]org
• aitice-usa[.]com
• att-my[.]com
• att-networks[.]net
• bbt-work[.]com
• cashsso[.]com
• fedsso[.]net
• freshworks-sso[.]com
• freshworks-sso[.]net
• freshworksso[.]com
• grayscale-sso[.]com
• grayscalesso[.]com
• graysso[.]com
• my-twilio[.]com
• podiumsso[.]com
• ssopodium[.]com
• ssotelnyx[.]com
• telnyx-sso[.]com
• telnyxsso[.]com
• victrasso[.]com
• victrasso[.]net
• workbbt[.]com

Investigating the re-use of old infrastructure

Some of the above domains were weaponized the moment they were created, whilst others were aged for days or weeks, suggesting that Scattered Spider were either in a hurry to deploy elements of their infrastructure or are possibly weaponizing domains to deliberately erratic schedules in order to avoid detection. rogers-rci[.]com was re-registered more than two months ago, yet still presents the Hostinger parked page.

After confirming that Scattered Spider are now using a different method of registering and hosting their infrastructure, we scanned for newly registered domains that used the old infrastructure, on the following parameters:

1. Registered on Porkbun and NAMECHEAP (i.e. the 2022 Registrars)
2. Registered from September 2023
3. Featured HTML content that indicated a Scattered Spider phishing page
4. Used the following ASNs from 2022:

• DIGITALOCEAN (AS14061)
• AS-CHOOPA(AS20473)
• AKAMAI-LINODE-AP(AS63949)
• NAMECHEAP-NET(AS22612)

Here’s a sample of the hundreds of domains we discovered:

• activesso[.]com
• actlvecampaign[.]net
• assurionsso[.]net
• asurionsso[.]com
• bbt-hr[.]com
• bbtemps[.]com
• bbthour[.]com
• bbtplus[.]com
• bbtvpn[.]com
• connect-cox[.]com
• dashsso[.]com
• hubsso[.]net
• intercomsso[.]net
• klaviyocorp[.]net
• postmarksso[.]com
• telesignsso[.]com
• trustsso[.]com
• workatbbt[.]com
• xn--gryscale-ox0d[.]com

Prevention

All of the domains that we have listed in this blog contained active phishing pages at the point of discovery, but there are potentially hundreds of others that are being aged in preparation for an attack.

Scattered Spider’s deployment methods feature identifiable patterns and commonalities that allow Silent Push users to discover associated infrastructure and enumerate the threat actor’s online presence, using an array of lookups that can be tailored to a unique set of requirements.

Applicable queries

Silent Push Community and Enterprise users should execute the following Brand Impersonation queries to detect and monitor Scattered Spider brand spoofing campaigns that feature common naming conventions, targeting their own infrastructure:

• ^(BRANDNAME(-|)ss(o|p)|(o|p)(-|)BRANDNAME)\.(com|co|net|us|help)$Looks for a domain as a brand name, followed or preceded by SSO or SSP (typosquatted version of SSO), with an optional hyphen between company name and keyword, on those 5 TLDs.
• ^(BRANDNAME(-|)okta|okta(-|)BRANDNAME)\.(com|co|net|us|help)$Looks for a domain as a brand name followed or preceded by Okta, with an optional hyphen between company name and keyword, on those 5 TLDs.
• ^(BRANDNAME(-|)h(e|1)lp(|desk|now)|h(e|1)lp(|desk|now)(-|)BRANDNAME)\.(com|co|net|us|help)$Looks for a domain as a brand name followed or preceded by a typosquatted version of ‘helpdesknow’, with an optional hyphen between company name and keyword, on those 5 TLDs.
• ^(BRANDNAME(-|)my|my(-|)BRANDNAME)\.(com|co|net|us|help)$Looks for a domain as a brand name followed or preceded by “my”, with an optional hyphen between company name and keyword, on those 5 TLDs.

Silent Push users should also make use of the platform’s On-Demand Endpoint Scan to locate infrastructure featuring the same phishing kit content, by harvesting HTML title, page content, SSL information and favicon hash data from a single URL.

Early Detection Feeds

Silent Push Enterprise users benefit from two Early Detection Feeds – ‘Scattered Spider Domains and IPs’ and ‘Scattered Spider Suspected Domains and IPs’ – that allow security teams to track and monitor Scattered Spider infrastructure either using the Silent Push console, or via an API that enriches an existing security stack with realtime threat data.

Register for Silent Push Community Edition

All of the lookups and datasets we used to detect and traverse Scattered Spider’s phishing infrastructure are available via Silent Push Community Edition – a free threat hunting platform available to security pros, researchers and analysts, including:

• Brand Impersonation queries
• Advanced domain searches
• URL-based HTML content scans

IOFAs

• actlvecampaign[.]net
• activesso[.]comassurionsso[.]net
• asurionsso[.]com
• bbt-hr[.]com
• bbtemps[.]com
• bbthour[.]com
• bbtplus[.]com
• bbtvpn[.]com
• connect-cox[.]com
• dashsso[.]com
• hubsso[.]net
• intercomsso[.]net
• klaviyocorp[.]net
• postmarksso[.]com
• telesignsso[.]com
• trustsso[.]com
• workatbbt[.]com
• xn--gryscale-ox0d[.]com
• 53help[.]org
• aitice-usa[.]com
• att-my[.]com
• att-networks[.]net
• bbt-work[.]com
• cashsso[.]com
• fedsso[.]net
• freshworks-sso[.]com
• freshworks-sso[.]net
• freshworksso[.]com
• grayscale-sso[.]com
• grayscalesso[.]com
• graysso[.]com
• my-twilio[.]com
• podiumsso[.]com
• ssopodium[.]com
• ssotelnyx[.]com
• telnyx-sso[.]com
• telnyxsso[.]com
• victrasso[.]com
• victrasso[.]net
• workbbt[.]com

Key points

• Behavioural fingerprinting and content similarity scans used to reveal 150+ new Lumma C2 IOCs.
• Administrator TTPs and new malware iterations used to reveal an new pre-attack landscape.
• New Lumma domain administrator email addresses discovered.

Background

Lumma (also known as LummaC2) is an information stealer with strong links to Russian threat activity, that’s been available on the dark web as a MaaS platform since 2022.

The malware – available for between $250-$1,000 per month – steals system data and sensitive information from infected machines, including browser data, stored credentials, and cryptocurrency data.

Lumma advertisement on a dark web forum (Source: cyble[.]com)

Previous Russian research

In December 2022 we published research on the Ursnif/Gozi banking trojan – an early C2 progenitor with its roots in the Russian criminal underworld, distributed via AnyDesk phishing pages.

We followed this up in February 2023 with a blog on how we uncovered a Russian infostealing campaign that distributed malware (including the Burmilia infostealer) via hijacked YouTube channels.

Despite a renewed focus on Russian APT activity that came as a result of private sector research – itself a validation of the FBI’s vision for private and public sector collaboration announced at mWise this month – Lumma has remained a persistent threat. Our Analysts remained on the trail of Russian C2 infrastructure throughout the summer, and kept abreast of emerging threats into the fall.

Investigation summary

In this blog, we’ll take a look at Lumma’s delivery methods, before showing how we used a single HTTP header to map over 150 previously unknown Lumma C2 servers, pinpointing new attack vectors and using the attackers’ own TTPs against them to reveal a previously unexplored threat landscape… all with the help of a Russian poet that’s been dead for nearly a century.

If that sounds weird, we can explain…

Delivery method

Before we delve into how we tracked the new infrastructure, let’s take a brief look at thin end of the wedge – the malware itself.

How Lumma ends up on a user’s machine depends entirely on the motives and tactics of the operator who purchased the infostealer from its administrators, but generally speaking the payload is distributed via two methods:

• Spear phishing campaigns featuring malicious email attachments, and social engineering tactics that lure victims into executing the payload.
• Malvertisement campaigns and cracked software links – particularly within YouTube video descriptions, and gaming content.

As we’ll go on to discuss, the new version of Lumma also features steganographic PNGs that hide malicious content within embedded image files.

Case study – Distributing the Lumma infostealer via YouTube video descriptions

We published research earlier this the year that explored how Russian threat actors embed malware in the video descriptions of hijacked YouTube channels. This delivery method remains popular, especially among the gaming community. Here’s an example of a YouTube channel – @simbatplay – with 82,000 subscribers, hosting multiple videos that advertise hacks, scripts and tools for popular online games:

@simbat YouTube channel

Video descriptions contain a link to URL shortener, that redirects to file hosting service such as mediafire[.]com, stating an alternate ‘mirror’ domain:

@simbat video description with malware link

Executable behaviour

Mirrored domains use VirusTotal themed colours to host the same file, with an inactive ‘Visit VirusTotal’ link placed next to a ‘Download’ button:

Lumma download content from izoc[.]us

The ‘Download’ button leads to password protected .rar files, containing executables and DLL files.

The executables are artificially inflated into larger file sizes with binary padding techniques that counteract submissions into public sandbox tools – behaviour consistent with the campaigns that have been observed earlier in the year.

Once executed, the malware attempts to read an array of on-device data, including local cryptowallet data, browser data, and stored credentials:

Attempted malicious cryptowallet file reads

Attempted credential harvesting

POST request

Once user data has been collected, the malware attempts to establish a connection with associated C2 domains, and sends information via unencrypted archive files.

The malware also retrieves a config list from the C2 server, which means that extracted data is not embedded within the infostealer itself.

Here’s a HTTP POST request to a Lumma C2 server that we’ve identified – erorblackday[.]xyz – registered by [email protected], an email address associated with multiple C2 servers that we’ll talk about a little later on.

Lumma POST request to erorblackday[.]xyz

Discovering new infrastructure

Early reports from security researchers matched Lumma C2 activity to the HTML title “LummaC2 | Вход”.

Silent Push scans the Internet’s entire IPv4 range and collects granular data on every observable we come across, including HTML data, allowing us to form a top down picture of attacker TTPs, rather than relying on isolated IOCs.

We took the above HTML title and executed a content similarity scan, which unearthed 6 Lumma C2 IPs active sometime between January-May 2023, with identical HTML titles:

• 144.76.173[.]247
• 195.123.226[.]91
• 45.9.74[.]78
• 77.73.134[.]68
• 82.117.255[.]127
• 82.118.23[.]50

The hunt begins…

Further analysis revealed an associated HTML header that was slightly different to the one that was already widely known: “Вход” (login in Russian), without the “Lumma C2” prefix.

Pivoting on both the long and short title failed to produce a reliable set of results, so instead of utilizing header data, we used the platform to execute a content scan across the entire IPv4 space:

These new search parameters proved fruitful – 33 new IP addresses used as Lumma C2s, including interval data and title information.

2 of the 33 IPs contained active Lumma C2 control panels – 157.90.248[.]179 and 213.252.244[.]62

Lumma control panel on 157.90.248[.]179

Analysing C2 ASN data revealed a broad geographic spread, not limited to regions associated with Russian activity:

Lumma C2 ASN distribution

Discovering new MaaS control panels

30-day historic domain scans revealed 6 live domains displaying the Lumma control panel:

• gstatic-service[.]io
• scandimyth[.]xyz
• sisadmin-my[.]xyz
• stoptme[.]xyz
• privategame[.]xyz
• traftech[.]pro

Once we’d gathered this new dataset, we started to explore the DNS scanning opportunities a domain subset presents, as opposed to a list of IP addresses.

Our team noticed that all of the domains are proxied to Cloudflare besides traftech[.]pro, which is hosted on 213.252.244[.]62 – an active Lumma C2.

Historical DNS records for sisadmin-my[.]xyz

Historical DNS records for sisadmin-my[.]xyz

With the domain IOCs hiding behind Cloudflare, and following no obvious naming pattern aside from a reoccurring TLD (.xyz), we expanded our investigation to take in enriched WHOIS data.

We immediately noticed that some of the domains had been registered using the email [email protected]:

WHOIS data for sisadmin-my[.]xyz

We then used an advanced domain search query to pivot on [email protected] that revealed 111 new Lumma C2 domains, 53 of which are still active.

All of these domains appear to be proxied to Cloudflare and registered from 23 June 2023 onwards:

Lumma-linked domain registrations from June 23 2023 onwards

The curious case of Sergei Yesenin’s body data

It’s not just human cadavers that offer up forensic clues to intrepid investigators. Body data fom a webpage can be just as enlightening (and a lot easier to extract!).

Sergei Yesenin was a Russian poet born in 1895. Yesenin spent his days wandering the streets of Moscow and Leningrad, romanticising a rural Russia that was utterly at odds with the relentless march of industrial life in the early 20th-century.

Why is any of this relevant? Yesenin is a poster boy for modern-day Russians that harbour anti-Western sentiments, and yearn for a return to the “good old days” of Russian imperialism. America, according to Yesenin, was “a stinking place where not just art is being murdered, but with it, all the loftiest aspirations of humankind.”

Get off the fence, Sergei!

We scanned the new domains we’d gathered and noticed that, rather than containing Lumma control panels, some of them hosted a page with a poem from Yesenin, complete with a picture of the dapper young poet in his Sunday best:

Russian-language Sergei Yesenin content on 2flowers-my[.]xyz

Translated Sergei Yesenin content on 2flowers-my[.]xyz

We initially hypothesized that that Lumma’s administrators had recently amended their C2 infrastructure to point at the Yesenin content to evade detection.

This piece of analysis, however, wasn’t entirely correct. Further investigation showed that some domains had actually shifted back from the Yesenin page to a Lumma control panel.

We used Sergei Yesenin’s “body” (OK, the page content, but it’s close enough!) to scan our database for Lumma C2 domains and IPs displaying the same content, leading us to 71 IOCs, 15 of which were still active.

We were able to confirm the link between these new domains and Lumma by cross referencing various pieces of DNS and WHOIS data with what we already knew about confirmed IOCs.

Most of the domains were proxied to Cloudflare, and had been registered on PDR in the past month, with a Gmail address as the registrant, but this time with a different prefix to levisrogers13 – [email protected]:

WHOIS information for Lumma C2 domain

Using a domain search query to pivot on this new email address, we uncovered 20 domains (none active) linked to Lumma, all of which had all been registered on since 19 August 2023 – as with the [email protected] domains, all of them appear to be proxied to Cloudflare.

Obtaining non-proxied domain data

During our investigation, we noticed something odd about a group of 4 domains that shared a similair naming convention.

Contrary to the majority of Lumma C2 IOCs, this subset isn’t proxied to Cloudflare, which gave us all kinds of pivoting options that we weren’t able to use with the Cloudflare domains:

• lazagrc2cnk[.]xyz
• lazagrc3cnk[.]xyz
• ocmtancmi2c4t[.]life
• ocmtancmi2c5t.life

Either the attackers got sloppy, or deliberately left them unproxied for technical reasons. Either way, our old friend Mr Yesenin was able to confirm their involvement:

lazagrc2cnk[.]xyz unproxied C2 domain

OK, so now we had a workable subset, that we can use in conjunction with our scanned data to pivot through hosting information, and cross reference with known TTPs to locate additional infrastructure.

To begin, we took the above domain – lazagrc2cnk[.]xyz – and analyzed all the IP addresses that have ever hosted it since its creation, using the Silent Push IP diversity query:

We discovered that in August 2023, it was hosted on 194.87.31[.]176, using the ASN AS207713 – GIR-AS, RU.

During the same period, another domain was hosted on the same IP and ASN that didn’t appear on the subset of 4, but still looked suspicious due to it’s similarity to known malicious domains: ocmtancmi2c5t[.]xyz.

Expanding the search with a regex

A quick regex search on ^ocmtancmi[0-9]c[0-9]t.[a-z]{1,}$ uncovered 8 new domains (a search on ^lazagrc[0-9]cnk.[a-z]{1,}$ yielded no results):

• ocmtancmi2c4t[.]live
• ocmtancmi2c4t[.]site
• ocmtancmi2c4t[.]website
• ocmtancmi2c4t[.]xyz
• ocmtancmi2c5t.[.]ive
• ocmtancmi2c5[.].ltd
• ocmtancmi2c5t[.]site
• ocmtancmi2c5t[.]website

We then started to wonder why these domains hadn’t appeared in our previous scans, detailed earlier in this blog.

The answer was immediately apparent – we hadn’t collected all of their WHOIS data, and the domains were not showing either Sergei’s poem or the Lumma control panel page, both of which we’d used to fingerprint the earlier C2 domains.

Instead of known malicious content, the domains displayed a standard 503 error:

Error 503 on ocmtancmi2c4t[.]live

Traversing Lumma subdomains

We quickly noticed another differentiator that set these new domains apart from the bunch… they contained subdomains. As with the omission of a Cloudflare proxy, this afforded us even more opportunity to map out the attackers’ infrastructure.

Mass scanning of every subdomain alerted us to an open directory on stable4download.ocmtancmi2c5t[.]website, containing a new version of the infostealer:

Open directory on stable4download.ocmtancmi2c5t[.]website

The open directory structure also revealed the use of malicious PNG files used for steganography purposes to deliver the payload, reminiscent of the Cold War-era microdots used to convey clandestine message between intelligence operatives.

Here’s an directory filled with microdotted PNG files on the aforementioned subdomain:

Use of steganography on stable4download.ocmtancmi2c5t[.]website

Malware analysis leads to 80+ new C2 servers

Over the past few days, several threat researchers reported the discovery of 3 new Lumma C2 domains, all proxied to Cloudflare and registered via PDR between 14-24 September 2023:

• treepledeeple[.]fun (email: [email protected])
• orkograkula[.]fun (email: [email protected])
• firmpanacewap[.]fun ([email protected])

Additional scans pinpointed two further domains, registered with the same timestamps using the same registrar (PDR), all proxied to Cloudflare:

• curtainjors[.]fun (email: [email protected])
• starblack[.]fun (email: [email protected])

All of the above 5 domains display a “Welcome to nginx!” page:

ngninx C2 page fortreepledeeple[.]fun

Earlier versions of Lumma feature a hardcoded configuration. Newer versions, however, use a different communication method.

We’re not able to divulge too much information about how we used the new infostealer version against itself, but our Threat Analysts were able to locate an entirely new threat landscape containing 86 previously unknown Lumma C2 domains operating the new version of the infostealer, all of them active, and most of them registered with personal email addresses which were sometimes shared between domains.

Not one of the discovered domains was flagged as malicious by Virus Total:

Lumma C2 veinsmoter[.] fun on VirusTotal4

Lumma C2 withdrawlecterns[.] fun on VirusTotal

Some of the domains were hiding behind a Cloudflare captcha. Solving the captcha revealed that all of them were Lumma C2s:

Cloudflare captcha for chocomeat[.]fun

Cloudflare captcha for chocomeat[.]fun

Solved Cloudflare captcha for chocomeat[.]fun/login, revealing Lumma C2

Conclusion

In this blog, we’ve shown how we took a single piece of data – a HTML header – and used our platform to extrapolate 150+ new C2 IPs, domains and control panel URLs, by focusing on how attackers deploy their infrastructure.

Malicious domains and IP addresses offer minimal insight to SOC teams and threat hunters when taken in isolation. Just like the punch that a boxer doesn’t see, the most injurious attacks originate from an unknown source.

Lumma feed data ingested into a SOAR/SIEM that relies on bare lists of C2 servers without any consideration of the underlying TTPs involved is borderline redundant once published, and it has to be said, significantly overvalued by the industry as a whole.

Lumma’s operators and administrators aren’t stupid. Immoral, but not stupid. They know full well when their infrastructure has been compromised, and they adjust their attack vectors accordingly to render most threat data relatively useless upon discovery – unless it’s part of a broader analysis that turns their own methods against them, and tracks their movement across the Internet.

That’s where we come in…

Silent Push maps attacker TTPs by building a behavioural fingerprint that’s aggregated, clustered, enriched, and scored to provide the most complete view of Lumma C2 activity available anywhere in the world.

Silent Push Enterprise customers have access to a bespoke Early Detection feed containing all the Lumma threat data we’ve referred to in this blog, plus any other Lumma IOCs we detect in subsequent scans. Email [email protected] for more details.

The Silent Push Community Edition features many of the tools, lookups and queries that we used to track Lumma C2 infrastructure, including passive DNS lookups, domain pivots and a lot more. Register here for free.

Selected IOCs

Note: A full list of realtime curated IOCs is available as a feed, with a Silent Push Enterprise subscription.

157.90.248[.]179

195.123.219[.]211

195.123.219[.]212

213.252.244[.]62

89.185.84[.]37

2flowers-my[.]xyz

adavefrees[.]xyz

blockall-my[.]xyz

blockspam-my[.]xyz

bondappeal[.]xyz

boxclod[.]xyz

buyerbrand[.]xyz

catfoodbio[.]xyz

chocomeat[.]fun

cleanvr[.]xyz

cloudsnike-my[.]xyz

coinflore-my[.]xyz

coolworks[.]xyz

coolworkss[.]xyz

cosmosvr3d[.]xyz

culturalevenings[.]xyz

cvadrobox[.]xyz

damageagio[.]xyz

deeppoetry[.]xyz

demanddeal[.]xyz

diavellipromo-my[.]xyz

dogshanter[.]xyz

downloaddedattre[.]fun

downloadfiles-my[.]xyz

dromautocar[.]xyz

dropfiles-my[.]xyz

ducklingibises[.]fun

ellifotolive[.]xyz

glaziercarde[.]fun

housegrommy[.]fun

jumperstad[.]fun

lackbasinmu[.]fun

pearlbarleyhit[.]fun

politicuseles[.]fun

portlandcor[.]fun

potatomeatball[.]fun

pregnantflowers[.]fun

rarefood[.]fun

rosaryconbo[.]fun

rovengold[.]fun

royalpantss[.]fun

satanakop[.]fun

sausagerollraisin[.]fun

scruffymapleflat[.]fun

sendcyniaforeign[.]fun

shoppervik[.]fun

slimtvsocico[.]fun

socialmadness[.]fun

sodafountainpr[.]fun

startablekor[.]fun

superyupp[.]fun

talkinwhitepod[.]fun

tuberoseprod[.]fun

valleydod[.]fun

veinsmoter[.]fun

waterparkedone[.]fun

withdrawlecterns[.]fun

wolffunny[.]fun

yachtracingopt[.]fun