Two infostealer families, LummaC2 and RecordBreaker, are being distributed via abnormal certificates with unusually long Subject and Issuer fields, often undetectable by Windows alone. The operation shows a pattern of evolving C2 infrastructure, multi-stage payloads, and active data theft, including non-English signature content and SEO-poisoned pages. #LummaC2 #RecordBreaker #Amadey #ClipBanker #AhnLab #abnormalCertificate
Keypoints
- LummaC2 and RecordBreaker are the predominant infostealer families in the current campaign.
- Abnormal certificates with unusually long Subject/Issuer fields are used to distribute the malware, with non-English characters in signature strings.
- The malicious signature is not valid for signing, and the certificate information isn’t visible in Windows without special inspection tools.
- Malware is spread via SEO-poisoned pages that rank in search results, using keywords related to illegal programs like serials, keygens, and cracks.
- LummaC2 evolves to download configuration from its C2 and to install Amadey and ClipBanker as additional components.
- RecordBreaker uses distinctive User-Agent strings (e.g., “GeekingToTheMoon”) and adapts its C2 communications; LummaC2 periodically changes C2 endpoints and versioning.
- ClipBanker monitors the clipboard to replace cryptocurrency wallet addresses; Amadey serves as a downloader to deploy further malware.
MITRE Techniques
- [T1059.001] PowerShell – Used to download and execute PowerShell commands from a specific address. ‘The latest sample currently in circulation… consists of a string that URL encoded a malicious script. This script is designed to download and execute PowerShell commands from a specific address, but it is currently incapable of downloading. This script does not get executed during the infection process.’
- [T1071.001] Web Protocols – C2 communications with remote servers as LummaC2 evolves its endpoints. ‘C2 communication of the most recent LummaC2 sample’
- [T1189] Drive-by Compromise – Distribution via malicious pages accessible through search engines (SEO poisoning). ‘These types of malware are distributed via malicious pages that are easily accessible through search engines (SEO poisoning)…’
- [T1105] Ingress Tool Transfer – Downloading and installing additional malware (Amadey and ClipBanker). ‘Downloads additional malware’ and related C2 interactions for configuration and delivery. ‘downloading the configuration information from the “/c2conf” address and transmitted the information to the “/c2sock” address’
- [T1115] Clipboard Data – ClipBanker monitors clipboard and can replace crypto wallet addresses. ‘ClipBanker is a type of malware that monitors the clipboard. If it detects the address of a cryptocurrency wallet being copied, it is changed to the threat actor’s address.’
- [T1041] Exfiltration Over C2 – Theft of sensitive user data transmitted to threat actors. ‘transmit sensitive user information such as browser-saved account credentials, documents, cryptocurrency wallet files, etc., to the threat actor’
- [T1027] Obfuscated/Compressed Files and Information – Signature strings include non-English characters and punctuation. ‘signature strings… include Arabic, Japanese, and other non-English languages, along with special characters and punctuation marks.’
Indicators of Compromise
- [Hash] Malware sample hashes – eae39f18a51c151601eaf430245d3cb4, 3c39098b93eb02c664d09e0f94736d95
- [IP Address] C2/delivery hosts – 49.13.59.137, 95.216.166.188
- [Domain] C2 and distribution domains – blockigro.xyz, programmbox.xyz
- [URL] Download/loader URLs – hxxp://imagebengalnews.com/amday.exe, hxxp://enfantfoundation.com/amda y.exe
- [URL] Additional downloader sources – hxxp://vbglimited.com/Amdays.exe, hxxp://moshito-marketing.com/Amda.exe
Read more: https://asec.ahnlab.com/en/57553/