Threat Research

Cyble – LummaC2 Stealer: A Potent Threat To Crypto Users

Securonix

CRIL researchers uncovered LummaC2 Stealer, a 32-bit GUI malware targeting Chromium and Mozilla browsers to exfiltrate crypto wallets, browser extensions, and 2FA data. The campaign includes a Russian-language seller site, Telegram channels, and active C2 servers in Bulgaria and Germany, with detailed technical and IoC insights provided. #LummaC2Stealer #CryptoWallets #2FAExtensions

Keypoints

  • LummaC2 Stealer targets both Chromium- and Mozilla-based browsers (including Chrome, Edge, Firefox, and others) to harvest wallet data, 2FA extensions, and browser-stored information.
  • The malware’s seller ecosystem is advertised on a dark-web/Russian-language site, with pricing tiers from $250 to $20,000 depending on the plan.
  • CRIL notes two active C2 servers associated with LummaC2, with IPs located in Bulgaria and Germany, and a dedicated login page for C2 control.
  • The stealer performs multi-stage data collection, including system information, file Grabber (grabbing .txt files), wallet data, and 2FA extension details, before exfiltrating the data to C2.
  • Detection evasion relies on obfuscated strings that incorporate a random ‘edx765’ marker, which the malware later decodes to reveal the original strings.
  • The campaign includes two Russian Telegram channels: one for sharing information about LummaC2 and another for reporting bugs.

MITRE Techniques

  • [T1140] Deobfuscate/Decode Files or Information – The stealer uses obfuscated strings with a random marker “edx765.” When executed, it strips the random string to reveal the original content “Obfuscated strings that are being covered by a random string, “edx765”, to evade detection. Upon execution, the stealer passes the obfuscated string to a function that strips the random string and delivers the original string.”
  • [T1562] Impair Defences – By employing obfuscation to evade detection, the malware attempts to compromise defensive measures; “Obfuscated strings… to evade detection.”
  • [T1082] System Information Discovery – The malware collects LummaC2 Build, Lumma ID, Hardware ID, Screen Resolution, System Language, CPU Name, and Physical Memory, storing this in memory as system.txt.
  • [T1083] File and Directory Discovery – The stealer enumerates the %userProfile% directory and grabs .txt files from the Victims machine for exfiltration.
  • [T1119] Automated Collection – It automates collection of system information and other data, storing it in memory for later exfiltration.
  • [T1005] Data from Local System – The malware aggregates various local data (system info, browser/extension data, wallet data) before sending to C2.
  • [T1071] Application Layer Protocol – It communicates with C2 via application-layer protocols, as illustrated by initial C2 communication and the C2 panel.
  • [T1020] Automated Exfiltration – After gathering data, the stealer encrypts it and transmits it to the C2 server.

Indicators of Compromise

  • [Hash] MD5 – 1995a54dba0e05d80903d3d210c1e3da, a09daf5791d8fd4b5843cd38ae37cf97
  • [Hash] SHA1 – c43316ddcb51e143ab53f996587c23ea4985f6ea, 2c11592f527a35c3dac75139e870dd062b12dfe1
  • [Hash] SHA256 – 277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf, d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264
  • [IP] LummaC2 C&C – 195.123.226.91, 144.76.173.247

Read more: https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint