Lumma Stealer & Ninja Malware Hijack Google Groups
▼ Summary
– Over 4,000 malicious Google Groups and 3,500 Google-hosted URLs are being used in a global malware campaign that abuses Google’s trusted ecosystem.
– The campaign uses social engineering in Google Groups, posting seemingly legitimate technical discussions with embedded malicious download links disguised for specific organizations.
– Windows users are infected with the Lumma InfoStealer, delivered via oversized archives to evade detection, which steals credentials and browser data.
– Linux users are targeted with a trojanized “Ninja Browser” that silently installs malicious extensions and establishes persistent, backdoor-like access.
– The campaign bypasses traditional security by using trusted Google services, and defenses include blocking provided indicators and educating users.
A sophisticated malware campaign is actively exploiting the trusted reputation of Google’s services to target organizations worldwide. Security researchers have identified over 4,000 malicious Google Groups and 3,500 Google-hosted URLs being weaponized to distribute dangerous information-stealing malware. This operation cleverly bypasses traditional security filters by leveraging Google’s own infrastructure, making malicious links appear far more legitimate to unsuspecting users. The attackers tailor their approach by embedding specific organization names and industry keywords into their posts, significantly increasing the credibility of their traps and driving successful infections.
The attack begins with social engineering within Google Groups. Threat actors infiltrate industry-specific forums and initiate technical discussions that seem entirely genuine, covering topics like network troubleshooting or software configuration errors. Within these threads, they embed download links disguised as helpful resources, often labeled something like “Download {Organization_Name} for Windows 10.” To further evade detection, these links frequently use URL shorteners or redirect through Google Docs and Drive. This redirector infrastructure is designed to identify the victim’s operating system and deliver a tailored malicious payload.
For users on Windows systems, the campaign deploys the Lumma Stealer, a commercially available information-stealer. The payload arrives as a password-protected compressed archive hosted on malicious file-sharing sites. A key evasion technique involves using an oversized archive; while the decompressed file is roughly 950MB, the actual malicious executable is only about 33MB. The remainder is padding with null bytes, a method intended to exceed antivirus file-size scanning limits and disrupt static analysis tools. Once executed, the malware reassembles segmented binary files, launches an AutoIt-compiled executable, and ultimately decrypts and runs a memory-resident payload. Its malicious behavior includes exfiltrating browser credentials and session cookies, executing shell commands, and sending stolen data to command-and-control servers using obfuscated HTTP POST requests.
Linux users are presented with a different threat. They are redirected to download a trojanized Chromium-based application marketed as “Ninja Browser,” which claims to offer privacy and anonymity features. In reality, the browser silently installs malicious extensions without user consent and establishes hidden persistence mechanisms. One such extension, “NinjaBrowserMonetisation,” is designed to track users with unique identifiers, inject scripts into web sessions, load remote content, and manipulate browser data. The extension’s code is heavily obfuscated. The browser also sets up scheduled tasks to poll attacker-controlled servers daily, silently install updates, and maintain long-term access. It defaults to using a Russian-based search engine and has been linked to domains like ninja-browser[.]com.
The risks posed by this dual-pronged campaign are severe. Lumma Stealer can lead to credential theft, account takeover, financial fraud, and lateral movement within corporate networks. The Ninja Browser acts as a persistent backdoor, enabling silent credential harvesting, remote command execution, and automatic installation of further malicious updates. Because the attack abuses Google’s trusted services, it effectively bypasses security measures that would normally block content from unknown or suspicious sources.
To defend against this threat, organizations are advised to take several proactive steps. Security teams should inspect shortened URLs and scrutinize redirect chains originating from Google Docs or Drive. It is crucial to block the published indicators of compromise at firewall and endpoint detection and response levels. User education is also vital; employees should be warned against downloading software from public forums without verification. Additionally, IT departments should monitor for the creation of unauthorized scheduled tasks on endpoints and routinely audit browser extensions for suspicious installations. This campaign underscores a dangerous trend where cybercriminals increasingly weaponize legitimate SaaS platforms to launch attacks that are harder to detect and stop.
(Source: Bleeping Computer)
