Hackers Using Weaponized Invoice To Deliver LUMMA Malware

Hackers Using Weaponized Invoice To Deliver LUMMA Malware

Perception Point’s team of researchers recently investigated a malware attack aimed to bypass threat detection engines. The sophisticated attack was caught by our advanced threat prevention platform; the payload was detected by our next-gen sandboxing technology. Read on to learn more.


In this campaign, the attacker impersonates a financial services company and sends the target an email containing a fake invoice. The user is prompted to click on the button “View & Download Invoice.” To add legitimacy to the message, a legitimate website is included in the message to serve as an alternative to clicking the button.

Upon clicking on the button to view the invoice, the user is sent to a website that is unavailable. The user must instead go back to the email and click on the website link.

The attacker uses the unavailable page and the legitimate website link as a form of evasion, to avoid detection. When most security solutions scan the message, they are unable to locate the malicious payload, as the button (the first link) leads to an error page and the second link’s URL seemingly belongs to  a non-malicious website. 

However, when the user clicks on the website link, they are redirected to another URL, which automatically triggers the download of a JavaScript file, containing several other files including the malicious payload. 

It is important to note that the attacker had to first breach the legitimate website in order to host the URL redirect.

Looking at the website code shows that there are m ..

Support the originator by clicking the read the rest link below.