eSentire’s Threat Response Unit uncovered LummaC2 stealer malware delivered alongside a malicious Chrome extension via a drive-by download, with a DLL side-loading load chain. The incident underscores the need for strong endpoint security and user education to defend against layered, multi-stage threats.
Hashtags: #LummaC2 #DLLSideLoading #DriveByDownload #ChromeExtension #RNPKeys #get-license2 #two-root
Hashtags: #LummaC2 #DLLSideLoading #DriveByDownload #ChromeExtension #RNPKeys #get-license2 #two-root
Keypoints
- eSentire operates 24/7 SOCs with elite threat hunters and cyber analysts.
- August 2024 TRU investigation found LummaC2 stealer malware and a malicious Chrome extension affecting browser activities.
- Delivery chain used a drive-by download of a ZIP file containing an MSI application.
- The MSI executed a DLL side-loading technique to load the malicious payload (rnp.dll).
- The malicious Chrome extension, once installed, manipulates web content and can capture sensitive user data.
- TRU isolated the affected host and assisted with remediation; emphasizes endpoint security and user education.
MITRE Techniques
- [T1189] Drive-by Compromise – Drive-by download of a ZIP file containing an MSI application. ‘drive-by download that delivered a malicious ZIP archive named “x64~x32~installer___.zip” containing an MSI app packaging file.’
- [T1574.002] DLL Side-Loading – Legitimate executable rnpkeys.exe loads the malicious rnp.dll payload. ‘Utilized a legitimate executable “rnpkeys.exe” to load the malicious “rnp.dll” payload.’
- [T1059.001] PowerShell – PowerShell base64-encoded command retrieves the next-stage payload from the C2 and decrypts it. ‘PowerShell base64-encoded command that is responsible for retrieving the next-stage payload “02074.bs64” … and decrypting it using two rounds of XOR operations.’
- [T1071.001] Application Layer Protocol – C2 communication with the attacker infrastructure over web endpoints (e.g., two-root[.]com/02074.bs64). ‘…C2 server at two-root[.]com/02074.bs64…’
- [T1027] Obfuscated/Compressed Files and Information – Payload decrypted via two rounds of XOR operations. ‘decrypting it using two rounds of XOR operations.’
- [T1082] System Information Discovery – The malware collects device information, browser details, cookies, and user agent data. ‘gathers device information including fetching hardware and system data … collects the browser’s user agent and all cookies.’
Indicators of Compromise
- [Domain] C2 infrastructure domains – get-license2.com, two-root.com
- [URL] C2 payload download – two-root.com/02074.bs64
- [MD5] File hashes – 1825d0310bf5029899f42004c4a1ef83, 63efe86838e7196cedd93d7c10ac40e6
- [File] Delivered artifacts – rnpkeys.exe, rnp.dll, nijboq.rar, x64~x32~installer___.zip, Save to Google Drive (malicious Chrome extension)
- [Bitcoin Address] Observed in infrastructure context – bc1qvkvzfla6wrem2uf4ejkuja8yp3c6f3xf72kyc9