LummaC2 is an actively distributed infostealer masquerading as illegal programs like cracks and keygens, using SEO poisoning, distribution sites, YouTube, LinkedIn, and search ads to reach victims. The malware now uses DLL side-loading or a bundled EXE/DLL, leverages Steam to obtain C2 domains, decrypts strings to fetch new C2s, and exfiltrates wallet, browser, and other sensitive data to its C2 server.
#LummaC2 #Steam #Vidar #Notion #Slack #Capcut
#LummaC2 #Steam #Vidar #Notion #Slack #Capcut
Keypoints
- LummaC2 is distributed as illegal software (cracks, keygens, game hacks) via multiple channels, including SEO-poisoned sites, YouTube, LinkedIn, and search ads posing as legitimate tools like Notion, Slack, and Capcut.
- The malwareβs delivery/execution methods vary: it can be a single EXE or a compressed package containing a malicious DLL and a legitimate EXE, using DLL side-loading to run.
- A recent variant abuses the Steam platform to acquire or switch C2 domains, allowing flexible and stealthy C2 infrastructure adjustments.
- Strings embedded in samples are encrypted (Base64 plus custom algorithms) and each sample typically contains 8β10 C2 domains; decryption reveals the domain list.
- Steam URL pages and account data are used to extract C2 information (including a Steam account page where strings are decrypted using a Caesar cipher).
- Upon contacting C2, LummaC2 downloads and decrypts a settings JSON that governs its payload, enabling extensive data theft from wallets, browsers, password managers, emails, VPN/FTP tools, and related applications; these exfiltrated data are sent to C2.
- The threat actors target a wide range of applications (wallets, browsers, password managers, and various software) and can update their targets via the C2-driven settings.
MITRE Techniques
- [T1574.001] Hijack Execution Flow: DLL Side-Loading β Execution of malicious code via DLL side-loading. βusing the DLL side-loading technique.β
- [T1027] Obfuscated/Encoded Files or Information β Strings are encrypted using Base64 and custom algorithms with each sample containing 8-10 C2 domains on average. βThe strings are encrypted using Base64 and custom algorithms.β
- [T1071.001] Web Protocols β Abuse of legitimate platforms (e.g., Steam) to acquire C2 domains. βSteam is a legitimate domain with a substantial user base, meaning that threat actors can use it to reduce suspicions and easily change to another C2 when their current one is compromised.β
- [T1140] Deobfuscate/Decode Files or Information β Dynamic decryption of strings to obtain C2 domains (Caesar cipher on Steam account page data). βdecrypts the strings using the Caesar cipher method to obtain C2 domains.β
- [T1555.003] Credentials in Password Stores β Stealing wallet program information, browser stored information, password storage program information, and other credential data. βsteals wallet program information, browser stored information, password storage program information, TXT files of the user directories, messenger program information, β¦ and browser extension plugin (crypto wallet) information and sends them to C2.β
- [T1041] Exfiltration Over C2 Channel β Exfiltrating stolen data to the command and control server. βand sends them to C2.β
Indicators of Compromise
- [MD5] Malicious file hashes β 9a8cf58306ed35513e896e573c2a470f, f88602927fbdea9d9fa84f2415676a3c, and 0 other items
- [File] Relevant data files β workstudy.ics, paseo.ini
- [Domain] C2 domains/URLs β sicillyosopzv.shop/api, unseaffarignsk.shop/api, and 6 more items
- [Domain] Steam-related C2 activity β steamcommunity.com/profiles/76561199724331900
Read more: https://asec.ahnlab.com/en/68309/