Mapping latest Lumma infrastructure
C2, distribution & ASN clustering
Another week, another Lumma hunt. Despite the efforts by law enforcement agencies, Lumma stands strong, new malware distribution and C2 domains are constantly created.
This hunt started from the domain nonsazv[.]qpon reported as Lumma C2. The domain is hosted at an IP registered to Aeza ASN 210644, a known bulletproof hosting provider so it immediately shows potential for a pivot.
Often, threat actors generate multiple domains using similar naming conventions for their campaigns, so we can start our investigation using the URLScan platform and searching for .qpon naming convention in combination with the ASN to check for additional domains.
page.domain:*.qpon AND asn:"AS210644"
The search returns 7 unique domains matching our parameters, additionally we can take note of the server technology used, which is nginx/1.24.0 (Ubuntu).
nonsazv.qpon
pictuqyr.qpon
pattemqr.qpon
apothfya.qpon
fruiunp.qpon
brunsmmv.qpon
bac-bank.qponNow that we have our first set of domains, we can start pulling the thread. We’ll analyze the domains, figure out where they are hosted, review any communicating files and cluster the findings based on common characteristics.
Domain Analysis : *.qpon
pictuqyr[.]qpon
Analyzing our domains shows that most of them are hosted at 46.28.71.142 owned by ROUTE95 GREEN FLOID LLC (ASN 8254). Using Validin, we can expand on the IP and uncover additional domains that were not found in our URLScan search. On the same host, Validin reports 320 domains, most of them already flagged as Lumma malware. The majority of these domains are still active.
Among those domains, the most used domain extensions include .top .xyz .qpon and .ru
From the group of the initial domains, the only one that is not hosted on the ASN8254 is bac-bank[.]qpon. This domain is hosted at 217.156.66.212 ASN 48753, Ava Host Srl. Unfortunatelly, I couldn’t find anything to pivot on this IP (Cert,hashes, jarm, fingerprint) so I decided to try something different.
Following the Infection Chain
Let’s approach this from another direction. The malware execution chain, following the malicious files we can figure out the starting point.
As we established above, the infection chain starts with a zip file which contains the Lumma malware, then in turn the malware communicates with it’s C2 servers.
Reviewing the execution/infection chain, we can follow the domains & IPs associated with the .zip file that is spreading the malware, which leads to the following indicators.
We’ll start by analyzing the only IP we have in our list.
Host Fingerprint Pivot
172.86.89.51
There are over 350 malicious domains following similar naming conventions as the one we noticed above. We can further pivot from that host, using the certificate fingerprint.
This pivot leads to 12 new findings, these IPs, host domains matching our hypothesis and communicate with files associated with Lumma, further reinfoced since one of the findings includes the .qpon hosting IP (46.28.71.142)
Applying similar logic we can pivot using Validin’s cert fingerprint IP hash on the remaining IPs of the above list.
Our last pivot takes us to IPs hosted on Routerhosting & Proton66 ASNs.
As we mentioned before, threat actors often deploy resources in the same hosting providers, making clustering easier.
Proton66 & Routerhosting
To further reinforce our hypothesis of infrastructure clustering on Routerhosting and Proton66, we can further expand our investigation using our list of indicators that we found in the .zip that was spreading the malware. As you can see in the image below, the connection is clear, indicating the use of specific infrastructure by the threat actors for this campaign.
Conclusion
I believe, this investigation shows how Lumma’s operators often rely on concentrated infrastructure that make clustering possible. The heavy use of specific ASNs like Aeza, Routerhosting, and Proton66 creates detection opportunities despite the domain rotation.
Many stones left unturned, for example I will follow up on the domains registration timing, first-seen timestamps, neighboring IPs, etc.
For now though, I will stop here. As always, I hope you are all doing well and please reach out if you want to geek out on these subjects.
Take care!
Great article. Do you think you would be able to go further in-depth of how you create the infection chains and such, perhaps, a quick screenshot of you finding the IOCs? And how you found the other domains from the other graphs you made?