KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Fake Reddit Sites Push Lumma Stealer Malware Part 1

Query

// Hunting fake Reddit sites push Lumma Stealer malware - Part 1

// https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/
// https://x.com/crep1x/status/1881404758843699402

// A recent cybersecurity threat where hackers have created nearly 1,000 fake websites mimicking Reddit and WeTransfer. These fraudulent sites are used to distribute the Lumma Stealer malware, which is designed to steal sensitive information such as passwords and session tokens. The campaign highlights the ongoing risks posed by info-stealer malware, which can compromise both individual and organizational data. These fake websites were found by Sekoia researcher crep1x, who shared a complete list of web pages participating in the scheme. Using this list as a threat hunting basis, here is my first MDO  threat hunting KQL.

let FakeRedditLummaS=externaldata(RawData:string)
[h'https://gist.githubusercontent.com/qbourgue/071c333ff5182f031da3ba55cc7da1ec/raw/ec4ba396c0d1052cc8b0a69c1bad1e0e5aef2ab6/malicious_domains_impersonating_reddit_wetransfer_selfau3_dropper_lumma_stealer_20012025.txt']
| parse RawData with FRDdomains:string;
EmailUrlInfo
| where TimeGenerated > ago(60d)
| join FakeRedditLummaS on $left.UrlDomain == $right.FRDdomains
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound" and LatestDeliveryAction  != "Blocked"

Explanation

This KQL query is designed to help identify potential cybersecurity threats related to fake Reddit and WeTransfer websites that are distributing the Lumma Stealer malware. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by importing a list of malicious domains from an external source. These domains are known to impersonate Reddit and WeTransfer to spread malware.

  2. Email Data Filtering: The query looks at email data from the past 60 days to find any inbound emails that have not been blocked.

  3. Domain Matching: It checks if any of the domains from the emails match the list of known malicious domains.

  4. Threat Detection: By joining the email data with the list of malicious domains, the query identifies emails that might be part of the campaign to distribute the Lumma Stealer malware.

In essence, this query is part of a threat hunting effort to detect and analyze emails that might be associated with fake websites pushing malware, helping to protect against data theft.

Details

Steven Lim profile picture

Steven Lim

Released: January 24, 2025

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfoEventsDevices

Operators

letexternaldataparsewithwhere>agojoinon==!=

Actions