LummaC2 is a sophisticated infostealer that masquerades as pirated or modified legitimate software to evade detection. It harvests credentials, email data, and cryptocurrency wallet information then exfiltrates them to attacker-controlled C2 domains for sale or follow-on attacks. #LummaC2 #AhnLab
Keypoints
- LummaC2 is distributed disguised as illegal or pirated software and injected into legitimate programs to avoid detection.
- The malware steals sensitive information, including account credentials, email data, and cryptocurrency wallet details.
- Stolen data is exfiltrated to attacker-controlled command-and-control domains and may be sold on the dark web or used in further attacks.
- Distribution relies on modifying legitimate files to include the malware, making detection and attribution more difficult.
- Threat actors use multiple C2 domains and obfuscation techniques to maintain persistence and communication.
- AhnLab has automated processes for collecting and analyzing samples of this malware.
- Users are advised to avoid files from untrusted sources and to be cautious of invalidly signed executables.
MITRE Techniques
- [T1003] Credential Dumping β Extracts account credentials from browsers and applications (βExtracts account credentials from browsers and applications.β)
- [T1486] Data Encrypted for Impact β Encrypts or otherwise impacts access to data to extort or disrupt victims (βEncrypts data to prevent access and extort victims.β)
- [T1071] Command and Control β Uses multiple attacker-controlled command and control domains to communicate with compromised hosts (βUtilizes multiple command and control domains to maintain communication with compromised systems.β)
Indicators of Compromise
- [URL] C2 domains used by LummaC2 β https://authorisev[.]site/api, https://bakedstusteeb[.]shop/api, and 3 more domains
- [File Hash] Sample malware hashes β 2871fb22369890c609fdb067db060c42, 3079439be9235f321baab3ae204a7b8b, and 3 more hashes
Read more: https://asec.ahnlab.com/en/84556/ β get from article