How to protect yourself from the Lumma Malware Trojan

Today we are taking on a perennial threat of the Trojan category – the Lumma Malware trojan. Unlike other posts we create, our goal here isn’t aimed only at removing the threat if you find yourself infected. Rather we wanted to try a more proactive approach, which is to say to educate you how to protect yourself from even coming in contact with it in the first place, because at the point you are faced with dealing with it, the Lumma Malware can do a lot of damage.

In my book there are very few things in the internet I’m more afraid of at this point in my life than getting payment account information stolen. This is exactly what the Lumma Malware tries to do. Other PUPs and/or Trojans introduce new malware in your system, exposing it to other threats, but that inevitably has the ‘benefit’ (if it can be called that), to expose the problem and alert you.

Lumma Malware Product Page
Hilariously, the Lumma Malware has a product page… in Russian

So how does the Lumma Malware trojan work?

The Lumma Malware bides its time instead, being completely inactive for a period of time until it successfully steals account information, at which point it contacts and sends the data to its creators. There is an excellent article by Cyfirma on exactly how it operates: give it a read if you want to find out more. But while the article was certainly interesting and very technical, it falls completely flat when detailing how to protect yourself.

For any practical person, suggestions like (which frankly sound AI-generated) “Implement threat intelligence to proactively counter the threats associated with the Lumma Stealer” are useless. I think it’s a far better option to give you a few descriptive sentences what it tries to do, and what you can do to counter it. My assumption is that most people don’t want anything to do with antivirus programs. Fair enough. Let’s try to work only with built-in measures.

How does the Lumma Malware get on your PC?

The Lumma Malware has two primary vectors – it pretends to be something legitimate, either as a download, or as an email attachment. This is a standard entry for Trojans, so all the best practices against phishing apply:

  • Download only from official sources. You can sometimes spot fake installers with Lumma malware, but they are always hosted on a suspicious site.
  • Don’t mindlessly open and click on attachments, ESPECIALLY if it’s an email you’re not sure why you received. I need to repeat this. You won’t get infected unless you open an attachment. Read the email and scan attachments at virustotal.com until you are sure it’s safe to open them. It’ll take 2-3 minutes at most.

If you find yourself repeatedly in trouble by downloading the wrong thing – make sure Windows Defender is set on with all its features. If you don’t feel computer-literate enough and frequently install browser hijackers or other types of malware, this is the point where I recommend looking at an external AV program.

There are a lot of good programs with free versions/trials/functionalities. Among them: SpyHunter 5, Malwarebytes, ESET, Norton. I would avoid Mcafee like a plague personally, although they have a deal with some laptop manufacturers, so you might get a free year.

If you are infected, do this to remove Lumma Malware

First off, it’s quite difficult to determine if you are infected. If you open an attachments and CMD screen appears for a few seconds, or the attachment/installer doesn’t seem to do anything. At that point, you should start looking immediately for new processes in you Task Manager by bringing it up with CTRL+Shift+ESC. The problem is that the Lumma Malware was updated to 4.0 and that version has methods to track whether the task manager is open so it stops its process.

At this point you have 2 options:

  1. Get an AV program to deal with it automatically. We recommend SpyHunter 5 for this (link is to a download page). Just install it, run it, it’ll find the Lumma Malware and remove it. SpyHunter has a free trial.
  2. Go with a manual removal approach.

    The manual removal involves a free Microsoft program called Autoruns. That program shows auto-start applications and registries and where they are located in your system. Download it, restart in Safe mode with networking (look up online how), extract Autoruns from the rar, then run Autoruns.exe.

    In the program check the options and uncheck “Hide Empty Locations” and “Hide Windows Entries”, refresh, then start looking at the entries and right click then delete Lumma Malware’s process when you manage to determine which one it is. Then go and delete the located file for the process – the path should have showed up in Autoruns.

    After that just restart in Windows 11’s normal mode.


    About the author

    Nathan Bookshire

    Leave a Comment