An Infostealer is being distributed by pairing a legitimate-signed EXE with a malicious DLL in the same directory, exploiting DLL hijacking to trigger the malware when the EXE runs. The threat uses in-memory decryption, DLL injection, and XOR-encrypted C2 communications to exfiltrate data and operat eundetected for extended periods. Hashtags: #LummaC2 #DLLHijacking #VLCMediaPlayer #libvlccore.dll #ironwork.tiff
Keypoints
- The malware distribution relies on DLL hijacking, delivering a legitimate signed EXE alongside a malicious DLL in the same folder so that executing the EXE automatically runs the DLL.
- Cracks and keygens are used to widen the DLL hijacking sample base, with downloads often delivered as password-protected encrypted RAR archives whose password appears in the file name or distribution page.
- The malicious DLL is created by modifying a segment of a legitimate DLL, decrypts a local data file, and executes it to minimize visible changes and evade detection.
- The infection chain exploits legitimate components (Setup.exe and libvlc.dll) with valid signatures to blend in; signatures may not match due to intentional modification.
- Execution flow involves loading pla.dll into the target process, injecting decrypted code into the DLL’s memory region using a DLL injection approach and an NTDLL relocation method.
- A data file disguised as a PNG (ironwork.tiff) guides subsequent steps; after decryption, LummaC2 is generated and executed via explorer.exe, enabling data exfiltration.
- LummaC2 is capable of exfiltrating diverse data (wallets, browser/app data, Steam, email, specific folders/files) and communicates with a C2 that responds with JSON data after XOR decryption, changing over time.
- ASEC actively monitors and responds to this distribution pattern with automatic collection and rapid adaptation to variations.
MITRE Techniques
- [T1574.001] DLL Side-Loading – The threat distributes a legitimate EXE with a malicious DLL in the same directory; when run, the EXE automatically executes the malicious DLL. “The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL.”
- [T1218] Signed Binary Proxy Execution – The Setup.exe and libvlc.dll are legitimate components with valid signatures, modified to enable payload execution. “The ‘Setup.exe’ and ‘libvlccore.dll’ are legitimate components of the well-known software ‘VLC Media Player’ and are valid files with legitimate signatures. The signatures do not match since a portion of the file was modified.”
- [T1055] Process Injection – The malware loads pla.dll into the target process and injects the decrypted code into the code region of that DLL, a form of process injection. “loads (DLL injection) ‘pla.dll’ into the target process and then injects the malware into the code region of that DLL.”
- [T1140] Deobfuscate/Decode Files or Information – The modified DLL decrypts a data file and executes it; code is encrypted and decrypted in memory to evade detection. “All the code is encrypted and executed after being decrypted in the memory in order to evade code pattern detection.”
- [T1071.001] Web Protocols – C2 communications rely on web endpoints with decrypted responses in JSON format. “The C2’s responses are composed of data and an XOR key, and when decrypted, they take the form of JSON-formatted data.”
- [T1041] Exfiltration Over C2 Channel – LummaC2 can exfiltrate various sensitive data (wallets, browser/app data, email, etc.) to the C2 and receive configuration. “LummaC2 is an Infostealer that can designate targets and install additional malware… It is capable of exfiltrating various sensitive data.”
Indicators of Compromise
- [File Name] context – PSPad.exe, WizTree.exe, InstallShield SetupSuite.exe, TSConfig.exe, VBoxSVC.exe, vlc.exe, and other legitimate EXEs used for distribution (example: PSPad.exe, WizTree.exe) and their related DLLs. 2 more hashes and names are referenced in the IOC table
- [DLL Name] context – libeay32.dll, winmm.dll, Xmllite.dll, FNP_Act_Installer.dll, VBoxRT.dll, mozglue.dll (examples include libeay32.dll, winmm.dll) and 2 more
- [Publisher/Signer] context – Jan Fiala, Antibody Software Limited, Flexera Software LLC, Oracle Corporation, VideoLAN (vlc.exe) (examples include Jan Fiala, Antibody Software Limited) and 2 more
- [C2 URL] context – hxxp://go-vvv[.]com/hittest.php, hxxp://cloudsaled[.]xyz/, hxxp://hokagef[.]fun/api and 12 more items
Read more: https://asec.ahnlab.com/en/58319/