KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Fake Reddit Sites Push Lumma Stealer Malware Part 2

Query

// Hunting fake Reddit sites push Lumma Stealer malware - Part 2

// https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/

// A recent cybersecurity threat where hackers have created nearly 1,000 fake websites mimicking Reddit and WeTransfer. These fraudulent sites are used to distribute the Lumma Stealer malware, which is designed to steal sensitive information such as passwords and session tokens. The campaign highlights the ongoing risks posed by info-stealer malware, which can compromise both individual and organizational data. These fake websites were found by Sekoia researcher crep1x, who shared a complete list of web pages participating in the scheme. Using this list as a threat hunting basis, here is my second MDE  threat hunting KQL.

let FakeRedditLummaS=externaldata(RawData:string)
[h'https://gist.githubusercontent.com/qbourgue/071c333ff5182f031da3ba55cc7da1ec/raw/ec4ba396c0d1052cc8b0a69c1bad1e0e5aef2ab6/malicious_domains_impersonating_reddit_wetransfer_selfau3_dropper_lumma_stealer_20012025.txt']
| parse RawData with FRDdomains:string;
let FakedRedditDomain =
FakeRedditLummaS
| distinct FRDdomains;
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == @"HttpConnectionInspected"
| extend Host = parse_json(AdditionalFields)["host"]
| extend Direction = parse_json(AdditionalFields)["direction"]
| where Direction == "Out" and Host has_any(FakedRedditDomain)

Explanation

This KQL query is designed to help identify network activity related to a cybersecurity threat involving fake Reddit and WeTransfer websites that distribute the Lumma Stealer malware. Here's a simplified breakdown of the query:

  1. Data Source: The query starts by importing a list of malicious domains from an external source. These domains are known to impersonate Reddit and WeTransfer to spread malware.

  2. Domain Extraction: It extracts and lists these fake domains to be used for further analysis.

  3. Network Events Filtering: The query then looks at network events from the past 30 days, specifically focusing on HTTP connections that were inspected.

  4. Outgoing Connections: It filters these events to find outgoing connections (from the user's network to an external site) where the host matches any of the fake domains identified earlier.

In essence, this query helps in threat hunting by identifying any recent network activity that might indicate a device in the network has attempted to connect to one of these fake, malicious websites.

Details

Steven Lim profile picture

Steven Lim

Released: January 24, 2025

Tables

FakeRedditLummaSDeviceNetworkEvents

Keywords

DeviceNetworkEventsTimestampActionTypeAdditionalFieldsHostDirection

Operators

letexternaldataparsewithdistinctwhere>ago==extendparse_jsonhas_any

Actions