Threat Research

Cyble – LummaC Stealer Leveraging Amadey Bot To Deploy SectopRAT

Securonix

LummaC Stealer is being sold as MaaS on Russian-speaking forums and is used to procure the Amadey bot, which in turn loads and deploys the SectopRAT payload on victims’ systems. The campaign uses a loader chain with a startup persistence mechanism (LNK in the startup folder) and staged delivery to exfiltrate data and enable remote control.

Keypoints

  • The LummaC Stealer is distributed via Malware-as-a-Service on Russian-speaking forums and channels, targeting data like wallets, browser data, and 2FA codes.
  • LummaC now loads Amadey Bot from its own stealer to chain in the infection and deliver SectopRAT.
  • The Amadey bot replicates and creates a startup LNK, establishing persistence by launching a duplicated Amadey instance at startup.
  • Amadey downloads and executes SectopRAT on the victim’s system, enabling broad data theft and control capabilities.
  • SectopRAT targets data from dozens of browsers and applications, including browser wallets and crypto wallets, with anti-VM/anti-emulator defenses.
  • The campaign uses phishing websites and spear-phishing emails to initiate infections, often disguised as software setups or cracks.
  • The operators leverage a loader chain and C2 infrastructure to exfiltrate data and deploy additional payloads in compromised networks.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – “phishing websites that impersonate genuine software sources, as well as via spear-phishing emails.”
  • [T1105] Ingress Tool Transfer – The LummaC chain downloads and transfers Amadey from remote sources to stage payloads like SectopRAT. “…retrieves the Amadey bot malware by downloading it from the following URL.”
  • [T1547.001] Startup Folder – Persistence via an LNK file placed in the Startup folder to relaunch Amadey: “creates an LNK file that, when clicked, executes the dropped copy of itself… This LNK file is dropped into the startup folder location to maintain persistence.”
  • [T1055] Process Injection – LummaC Stealer injects into memory of RegAsm.exe: “injecting the malicious LummaC Stealer content into the memory of ‘RegAsm.exe’.”
  • [T1027.005] Software Packing – The SectopRAT payload is packed/protected with a packer (Themida): “The SectopRAT is a 32-bit executable, protected using the Themida packer.”
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM/Anti-Emulator techniques to hinder analysis: “Anti-VM and Anti-Emulator mechanisms intended to complicate malware analysis.”
  • [T1082] System Information Discovery – Collecting system details like OS version, hardware IDs, CPU, RAM, etc.: “collect important system details, such as operating system version, hardware identifiers, CPU specifications, RAM details, screen resolution, and system language.”
  • [T1083] File and Directory Discovery – Targeting data from files and directories across numerous apps/browsers: “begin scanning through the target system’s directories… retrieve sensitive data from files such as ‘Cookies,’ ‘Local State,’ ‘Login Data,’ and ‘Web Data.’”
  • [T1005] Data from Local System – Data theft from browsers, wallets, and extensions: “gathers sensitive information from designated applications… concentrating on web browsers, cryptocurrency wallets, two-factor authentication extensions, and others.”
  • [T1003] OS Credential Dumping – Credential access related to stored login data and 2FA artifacts: “gathers data… including two-factor authentication codes.”
  • [T1047] Windows Management Instrumentation – Execution technique referenced in the analysis: “Windows Management Instrumentation.”
  • [T1071] Application Layer Protocol – C2 communication over HTTP-like channels: “C2 server communication” with URLs/addresses observed.
  • [T1573] Encrypted Channel – Encrypted communication with C2 to exfiltrate data or receive commands: “Encrypted Channel” observed in the C2 context.
  • [T1100] (Data Encrypted/Exfil) – Exfiltration of collected data to C2 endpoints (as shown by C2 traffic and exfiltration diagrams).

Indicators of Compromise

  • [SHA256] LummaC Stealer exe – 507bddfabd74a3d024b2ad5f67d666ea, 78eac92e0040e033406e6786b58b8a367fe171fa, and other LummaC related hashes
  • [SHA256] Amadey Bot exe – 952d825a264745bb52b6977ba5983568, 627a0a841c2fe194dd54f9ec6b0c1231d7da135f, and other Amadey Bot hashes
  • [SHA256] SectopRAT exe – f290ed868caae994bbfae1b63aca1d28, 501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4
  • [URL] LummaC C2 – hxxp[:]//exitlife[.]xyz/c2sock
  • [URL] Amadey Payload URL – hxxp[:]//africatechs[.]com/Amdaygo[.]exe
  • [URL] Amadey C2 – hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php
  • [URL] SectopRAT Payload URL – hxxp[:]//patriciabono[.]com/BRR[.]exe
  • [IP] IP:Port – 95[.]143[.]190[.]57:15648
  • [File] Startup LNK path – C:UsersuserAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupedddegyjjykj.lnk
  • [File] Amadey Temp path – C:UsersuserAppDataLocalTemphhwjilxtgukpvvhbpo.exe
  • [File] SectopRAT BRR.exe path – C:UsersuserAppDataLocalTemp1000349051BRR.exe

Read more: https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/