LummaStealer Se Voit Accorder une Seconde Vie Aux Côtés de CastleLoader

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef operator fill:#ff9900 classDef builtin fill:#cccccc %% Nodes u2013 Initial Access init_user_execution["<b>Action</b> – <b>T1204 User Execution</b>: Victims run fake cracked software or game/movie installers.<br/><b>Description</b>: Execution of malicious code by the user."] class init_user_execution action init_mal_copy_paste["<b>Action</b> – <b>T1204.004 Malicious Copy and Paste</b>: Users follow ClickFix CAPTCHA instructions to copy and paste malicious commands.<br/><b>Description</b>: Attacker guides victim to execute attackeru2011controlled code."] class init_mal_copy_paste action %% Nodes u2013 Loader Deployment loader_autoit["<b>Tool</b> – <b>T1059.010 AutoIt Interpreter</b>: Compiled CastleLoader script.<br/><b>Description</b>: Executes heavily obfuscated AutoIt code."] class loader_autoit tool obfuscation["<b>Action</b> – <b>T1027.009 Embedded Payloads</b>: Obfuscated AutoIt script hides malicious payload.<br/><b>Description</b>: Uses encoding and packing to evade analysis."] class obfuscation action masquerading["<b>Action</b> – <b>T1036 Masquerading</b>: Loader disguised as a legitimate installer with common software extensions.<br/><b>Description</b>: Appears benign to the user and security tools."] class masquerading action %% Nodes u2013 Persistence persistence_shortcut["<b>Action</b> – <b>T1547.009 Shortcut Modification</b>: Creates .lnk and .url files in the Startup folder.<br/><b>Description</b>: Persists by launching on user logon."] class persistence_shortcut action persistence_task["<b>Action</b> – <b>T1053 Scheduled Task</b>: VBA script registers a scheduled task for repeated execution.<br/><b>Description</b>: Runs payload at defined intervals."] class persistence_task action persistence_init["<b>Action</b> – <b>T1037 Logon Initialization Scripts</b> and <b>T1547.014 Active Setup</b>: Executes scripts during user logon via registry keys.<br/><b>Description</b>: Ensures code runs each login."] class persistence_init action hijack_execution["<b>Action</b> – <b>T1574 Hijack Execution Flow</b>: Reflective loading of the malicious payload into memory.<br/><b>Description</b>: Executes without writing files to disk."] class hijack_execution action %% Nodes u2013 Defense Evasion defense_virtual["<b>Action</b> – <b>T1497 Virtualization/Sandbox Evasion</b> and <b>T1497.002 User Activity Checks</b>: Detects analysis environment and aborts execution.<br/><b>Description</b>: Avoids sandbox detection."] class defense_virtual action defense_reflective["<b>Action</b> – <b>T1620 Reflective Code Loading</b>: Loads code via reflection to hide activity.<br/><b>Description</b>: Bypasses static analysis tools."] class defense_reflective action %% Nodes u2013 Command and Control c2_dga["<b>Action</b> – <b>T1568.002 Domain Generation Algorithms</b>: Generates pseudou2011random domains causing failed DNS lookups.<br/><b>Description</b>: Provides dynamic C2 endpoints."] class c2_dga action c2_dns["<b>Action</b> – <b>T1071.004 DNS Protocol</b>: Communicates over DNS queries and responses.<br/><b>Description</b>: Uses applicationu2011layer DNS for C2."] class c2_dns action c2_web["<b>Action</b> – <b>T1102 Web Service</b>: Bidirectional communication via HTTPS web service.<br/><b>Description</b>: Serves as primary C2 channel."] class c2_web action %% Nodes u2013 Credential Access cred_browser["<b>Action</b> – <b>T1555.003 Credentials from Web Browsers</b>: Steals stored passwords, cryptou2011wallet files and session data.<br/><b>Description</b>: Extracts credentials from Chrome, Firefox, etc."] class cred_browser action cred_cookie["<b>Action</b> – <b>T1550.004 Web Session Cookie</b>: Uses stolen cookies as alternate authentication material.<br/><b>Description</b>: Reu2011uses valid web sessions."] class cred_cookie action forge_cookie["<b>Action</b> – <b>T1606.001 Forge Web Credentials</b>: Creates forged cookies to impersonate victims.<br/><b>Description</b>: Enables unauthorized access to web services."] class forge_cookie action %% Nodes u2013 Exfiltration exfil_c2["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b>: Sends harvested data through the webu2011service C2.<br/><b>Description</b>: Data leaves the network via the same channel used for command and control."] class exfil_c2 action %% Connections u2013 Attack Flow init_user_execution –>|leads_to| loader_autoit init_mal_copy_paste –>|leads_to| loader_autoit loader_autoit –>|uses| obfuscation loader_autoit –>|masquerades_as| masquerading loader_autoit –>|establishes| persistence_shortcut loader_autoit –>|establishes| persistence_task loader_autoit –>|establishes| persistence_init persistence_shortcut –>|enables| hijack_execution persistence_task –>|enables| hijack_execution persistence_init –>|enables| hijack_execution hijack_execution –>|employs| defense_virtual hijack_execution –>|employs| defense_reflective hijack_execution –>|connects_to| c2_dga c2_dga –>|resolves_via| c2_dns c2_dns –>|communicates_via| c2_web c2_web –>|steals| cred_browser c2_web –>|captures| cred_cookie c2_web –>|enables| forge_cookie cred_browser –>|provides| exfil_c2 cred_cookie –>|provides| exfil_c2 forge_cookie –>|provides| exfil_c2 %% Styling class init_user_execution,init_mal_copy_paste action class loader_autoit,obfuscation,masquerading tool class persistence_shortcut,persistence_task,persistence_init,hijack_execution,defense_virtual,defense_reflective,cred_browser,cred_cookie,forge_cookie action class c2_dga,c2_dns,c2_web,exfil_c2 action "

Flux d’Attaque