Manufacturing Companies Targeted with New Lumma and Amadey Campaign

Manufacturing Companies Targeted with New Lumma and Amadey Campaign

The manufacturing industry has long been a target of cybercriminals. While data encryption has been a prevalent tactic in recent years, threat actors are now increasingly focusing on stealing sensitive information and gaining control over critical infrastructure.  

One of the latest campaigns on record involves the use of Lumma and Amadey malware. 

Campaign Uses Fake LogicalDOC URLs  

This campaign heavily leverages Living Off the Land (LOLBAS) techniques to deliver malware as part of its operations. 

Threat actors distribute phishing emails with URLs leading targets to download LNK files disguised as PDFs. These files are accessed via a domain name masquerading as one belonging to LogicalDOC, a service for managing documentation widely utilized in the manufacturing industry.  

Attack Involves Scripts to Aid Infection  

The malicious LNK file, once activated, initiates PowerShell via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded from berb[.]fitnessclub-filmfanatics[.]com as a ZIP archive.  

The malware utilizes both PowerShell and Windows Management Instrumentation (WMI) commands to collect detailed information about the victim’s system. This includes:  

  • Data such as language settings 
  • Antivirus software 
  • Operating system versions 
  • Hardware specifications 

This reconnaissance allows attackers to tailor subsequent attacks and enhances their credibility when sending follow-up malicious emails within the targeted organization. 

DLL Sideloading Ensures Evasion  

Attackers run malicious code in memory without leaving traces and abuse standard Windows tools to blend in with regular system activities. The downloaded ZIP file contains several malicious files used to carry out DLL sideloading.  

Key Objective

The primary purpose of this attack is to:

  • Steal important information with Lumma Stealer
  • Maintain control over the infected systems with Amadey Bot

Aattackers gain the ability to continuously monitor and manipulate their targets, which poses a significant threat to manufacturing businesses.

Why Businesses Need to Pay Attention 

For manufacturing companies, the consequences of such attacks can be severe and include:  

  • Theft of intellectual property 
  • Disruption of operations 
  • Financial losses and compliance violations 

Understanding and preparing for these threats is crucial for protecting valuable assets, maintaining operational integrity, and ensuring the safety of employees and customers. 

Analysis of the Attack with ANY.RUN Sandbox

To proactively identify malicious files belonging to this and other malware attacks, analyze them in the safe environment of ANY.RUN’s Interactive Sandbox that offers: 

  • Real-time Insights: In-depth view of malicious activities as they occur. 
  • Interactivity: Test threat responses in a live system. 
  • Comprehensive Reporting: Detailed reports on IOCs, malware families, and more. 
Analysis of a malicious LNK file inside ANY.RUN’s Sandbox

By uploading a malicious LNK file to the sandbox and executing it we can observe how the entire chain of infection plays out. 

View analysis session 

ANY.RUN detects activities related to malicious and suspicious process

First, the .lnk file initiates SSH, which starts PowerShell. 

Mshta is utilized to download a payload from remote server

PowerShell then launches Mshta with the AES-encrypted first-stage payload that it decrypts and executes. 

Attack uses Emmenhtal loader to faciliate infection

PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal

Suricata IDS is used in ANY.RUN to identify Amadey-related traffic

Emmental leads to system infections with Lumma and Amadey as a result. 

Strengthen your company’s security
with ANY.RUN’s Interactive Sandbox 



Get free trial


Collect Threat Intelligence on Lumma and Amadey Attacks 

With TI Lookup, ANY.RUN’s searchable database of the latest threat intelligence, you can find more info on malware and phishing campaigns. TI Lookup provides: 

  • Fresh Data: Latest samples from a global network of security professionals. 
  • Actionable Indicators: IOCs from traffic, memory dumps, and manual collection. 
  • Contextual Information: Links to full sandbox analysis sessions with detailed data. 

Use the following query, consisting of the name of the threat and the path to one of the malicious files used in the attack, for your search: 

TI Lookup lets you collect threat data and view relevant sandbox sessions

The service provides a list of files matching the query along with sandbox sessions featuring analysis of samples belonging to the same campaign that you can explore in detail. 

Collect information on the latest cyber attacks
with TI Lookup 



Get free trial


About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

The post Manufacturing Companies Targeted with New Lumma and Amadey Campaign appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More