About this episode
In this episode of the Microsoft Threat Intelligence Podcast, host Sherrod DeGrippo is joined by Senior Microsoft Security Researcher Kajhon Soyini to explore the Luma Stealer cryptocurrency mining campaign targeting individual computers as part of a large-scale malvertising campaign. They discuss the sophisticated attack chain, which includes DLLs, clipboard malware, process injection via Explorer.exe, and how this impacted nearly one million devices around the globe. Kajhon explains how attackers use registry modifications, WMI event consumers, and obfuscation techniques like non-standard ports and reverse shells to maintain persistence and evade detection. The duo also covers Microsoft's defense efforts and the challenges of tracking down the origins of these attacks. In this episode you’ll learn:
Why the attack chain incorporates legacy malware like NetSupport RAT
The overlap between the Luma Stealer and Donarium malware families
How Luma Stealer uses GitHub repositories and redirector networks to deliver malicious payloads
Some questions we ask:
Can you explain how the malware uses the “image file execution objects” registry path?
What role does Netcat play in this campaign’s command and control?
Why do people still mine cryptocurrency today, with all the complexities and attack methods?
Resources: View Kajhon Soyini on LinkedIn View Sherrod DeGrippo on LinkedIn Connect with Sherrod and the team at RSAC Related Microsoft Podcasts:
Afternoon Cyber Tea with Ann Johnson
The BlueHat Podcast
Uncovering Hidden Risks
Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft
