top of page

Malware Attack Impersonates Financial Services Company, Distributes LUMMA InfoStealer

The utilization of a multi-tiered counterfeit invoice strategy in the distribution of LUMMA via Malware-as-a-Service attacks is evolving into a more sophisticated and advanced approach.


What are Malware-as-a-Service information stealers?

The Malware-as-a-Service (MaaS) framework persists in offering aspiring threat actors an affordable and uncomplicated means to execute complex cyber assaults and accomplish their malicious objectives. Information stealers stand out as a prevalent form of MaaS, focusing on collecting and surreptitiously transmitting sensitive data like login credentials and financial information from compromised devices. This activity holds the potential to cause substantial financial harm to both organizations and individuals.

Attacker impersonates a financial services company

Perception Point’s researchers recently investigated a malware attack aimed at evading threat detection engines. The attacker impersonates a financial services company and sends a fake invoice to the target. The email prompts the user to click on a button called "View & Download Invoice," but instead of leading to the invoice, it redirects to an unavailable website.

To bypass detection, the attacker includes a legitimate website link in the email. Clicking on this link triggers the download of a JavaScript file containing the malicious payload. One of the URLs in the redirect chain, hxxps[:]//robertoscaia[.]com/eco, automatically downloads malware onto the user's device.

The malware used in this attack is LUMMA, an InfoStealer malware distributed through a Malware-as-a-Service model. The attack involves the execution of three processes: "1741.exe," "RegSvcs.exe," and "wmpnscfg.exe."

The first process, “1741.exe”, is executed from the user's temporary folder, which is unusual for legitimate programs. The second process, “RegSvcs.exe” (Registration Services), is executed from the Microsoft.NET framework folder C:\Windows\Microsoft.NET\Framework, a behavior commonly associated with malware activities. The third process, “wmpnscfg.exe” (Windows Media Player Network Sharing Service), is executed from the Windows Media Player folder.

Mirroring the general emergence and rise of information stealers across the cyber threat landscape, LUMMA stealer continues to represent a significant concern to organizations and individuals alike.

Moreover, as yet another example of MaaS, LUMMA is readily available for threat actors to launch their attacks, regardless of their level of expertise, meaning the number of incidents is only likely to rise. As such, it is essential for organizations to have security measures in place that are able to recognize unusual behavior that may be indicative of an info-stealer compromise, while not relying on a static list of indicators of compromise (IOCs).


  • Malware Campaigns


  • User awareness training

  • Monitor processes for unusual activity (e.g., abnormal process call trees).

  • Continuous monitoring and threat intelligence

  • Regular software updates and patch management

  • Incident Response plan should be prepared and tested to swiftly contain and mitigate an impact of a malware attack.


1. Sophie Jacobs. (2023, November 29). Behind the attack: LUMMA malware - perception point. Perception Point.


How can CyberForce|Q services help you address this risk?

Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to

Learn more about CyberForce|Q.


bottom of page