Cybercriminals have updated the dreaded Lumma Stealer malware which can now harvest and modify Google cookies to access your Gmail account, search history and banking details.
Cybercriminals will stop at nothing to commit their misdeeds and are constantly developing increasingly sophisticated viruses, regardless of the targeted device. Smartphones, iPhone, PC, Mac… No one is safe! The goal is always the same: siphon off as much personal and banking data as possible. Lately, it’s malware called Lumma Stealer – also known as Lumma C2 – that has been worrying cybersecurity researchers. Sold on the Dark Web as a subscription – for prices ranging from $250 to $1,000 – since 2022, it was developed to target cryptocurrency wallets, browser extensions and two-factor authentication (2FA). .
Lumma is capable of exfiltrating system data and installed programs from compromised devices. This malware steals cookies, usernames, passwords, credit card numbers, login history and crypto wallet data, among other things. But he could become even more formidable than he was until now. According to Alon Galthe co-founder and CTO of cybersecurity company Hudson Rock, “a major change is about to happen in the cybercrime ecosystem”. According to him, the team behind Lumma would have found a way “to exfiltrate Google cookies from infected computers. These cookies will not expire or be revoked even if the owner changes their password.” With this method, the malware would be capable of exfiltrating Google cookies to access your Gmail account, but also your search history and your banking datas. “This will result in a major shift in the world of cybercrime, allowing hackers to infiltrate even more accounts and carry out significant attacks”alerts the researcher.
Lumma Stealer: the malware that reactivates expired cookies
To steal your most personal information, Lumma Stealer collects Google cookies, these famous small files stored on devices (computer, smartphone, etc.) by web browsers when you browse websites. Among the latter, we find so-called “internal” cookies which, deposited by the sites visited – including Google services -, allow browsing sessions to be held, by ensuring that the sites recognize the visitor, thus preventing you from having to reconnect each time. But these cookies have an expiration date, for security reasons, which requires you to re-enter your codes. Also, we cannot, in theory, reuse them once the browsing session is over. But with this evolution of Lumma, hackers could connect to your Google account either with active cookies or by restoring those that have normally become obsolete. They would then have plenty of time to read your emails, view your search history, and even modify your account settings in order to steal your identity.
But that’s not all ! Researchers at Swedish cybersecurity company Outpost24 found that, using trigonometry, the latest version of the malware can analyze mouse cursor movements and detect human behavior. Concretely, it tracks the position of the mouse cursor then applies trigonometry to analyze the positions recorded as Euclidean vectors, calculating angles and magnitudes. This allows it to distinguish whether it is running on a real machine or in a sandbox environment – a virtual platform specifically designed to test only risky code, and therefore used by cybersecurity researchers. This way it becomes more difficult to detect and understand. Not to mention that it integrates obstacles into its code to confuse analysis software.
Given the price charged for using this service, Lumma Stealer is not aimed at all cybercriminals, but rather those wishing to attack very specific victims or organizations. However, this does not prevent us from taking measures to make it more difficult for hackers. Moreover, Google now supports passkeys, considered much more reliable and secure than traditional passwords (see our article).