Threat Research

Fake Browser Updates Distribute LummaC Stealer, Amadey and…

Securonix

A TRU investigation from eSentire tracks a LummaC2-based information stealer campaign delivered via a fake Chrome browser update overlay, leading to multi-stage payloads including Amadey and PrivateLoader. The infection leverages a compromised web delivery chain, a VMware DLL loader, steganographic data in a PNG, hollowed processes and HTTP-based C2 to exfiltrate targeted credentials and crypto wallets. #LummaC2 #Amadey #PrivateLoader

Keypoints

  • LummaC2 is distributed as MaaS on Russian-language forums and targets browser credentials and cryptocurrency wallets.
  • The attack starts with a fake Chrome browser update overlay delivered by a compromised page loaded via an iframe.
  • JavaScript in the delivered HTML manipulates the page DOM and uses FingerprintJS to collect device data and send it to a third party for tracking or victim filtering.
  • The update chain redirects to a malicious ChromeSetup.exe, which loads additional payloads (Amadey and PrivateLoader) via a Windows MSI installer.
  • VMwareHostOpen.exe is used to load attacker DLLs (vmtools.dll) and patch legitimate binaries to execute shellcode, enabling process hollowing and LummaC2 execution.
  • A steganographic PNG (vmo.log) carries configuration data that directs payload retrieval and C2 communications, followed by base64/XOR config fetch from the C2.

MITRE Techniques

  • [T1189] Drive-by Compromise – The infection was kicked off with a Google search and a fake Chrome update overlay on a legitimate page. [‘The infection was kicked off with a Google search’]
  • [T1059.007] JavaScript – The HTML loaded by the iframe contains JavaScript that manipulates the DOM and loads additional content. [‘The new HTML contains JavaScript that manipulates the DOM and replaces the entire document’]
  • [T1218] Signed Binary Proxy Execution – VMwareHostOpen.exe, a signed VMware binary, is used to load attacker-supplied shellcode. [‘…patched the legitimate DLL to redirect execution flow to attacker supplied shellcode.’]
  • [T1055.012] Process Hollowing – Shellcode loaded to create a hollowed process that injects LummaC2 into explorer.exe. [‘creates an executable section with injected code from the PNG file within mshtml.dll … hollowed cmd.exe process which in turn injects LummaC2 into a new explorer.exe process using process hollowing.’]
  • [T1027] Steganography – The vmo.log PNG contains embedded data used to stage payloads and configuration. [‘The image contains steganographic data which holds injection targets, write locations and deconstructed PE’s’]
  • [T1555.003] Credentials from Web Browsers – LummaC2 targets browser credentials and cryptocurrency wallets. [‘targets an array of information on infected systems including browser credentials and cryptocurrency accounts.’]
  • [T1041] Exfiltration Over C2 Channel – Data and system information are posted to the C2. [‘HTTP POST requests are made to the C2 to upload system information and the stolen data’]
  • [T1547.001] Startup Items – Persistence via Startup Folder observed. [‘For persistence, recent Amadey samples we analyzed established persistence using Startup Folder…’]
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks. [‘For scheduled tasks, the task name will match the name of the binary dropped to the %temp% directory.’]
  • [T1102] Web Services? (C2 via Web Protocols) – C2 communications over HTTP to doorblu.xyz and related domains. [‘…retrieve a base64 string containing an XOR-encrypted configuration file: doorblu[.]xyz/c2conf.’]

Indicators of Compromise

  • [Domain] wnimodmoiejn.site – Hosting Fake Update page and Keitaro TDS gateway
  • [Domain] stats-best.site/fp.php – FingerprintJS tracker
  • [Domain] ocmtancmi2c5t.xyz – Hosting MSI file
  • [Domain] doorblu.xyz – LummaC2 Stealer Command and Control
  • [Domain] costexcise.xyz – LummaC2 Stealer Command and Control
  • [Domain] lungalungaenergyltd.co.ke – Payload hosting
  • [Domain] imagebengalnews.com – Payload hosting
  • [Domain] hopvibestravel.co.za – Payload hosting
  • [IP] 45.9.74.182 – Amadey C2 Panel
  • [MD5] e07aa33f0e6aec02240a232e71b7e741 – ChromeSetup.exe
  • [MD5] 06eb333662e7f99382ec51617688b946 – Update.msi
  • [MD5] f74fd27e645afaf4e31e87bfb5cce76f – Vmtools.dll
  • [MD5] 80f2dd7209e1595cd98b2f3a94f1dcd5 – Vmo.log
  • [MD5] 7be1e9a1eade9773de6643fb1e4e0ffc – Amadey
  • [MD5] 174c448c4ba7b38a1a2bc3b1bd89a2d4 – LummaC2 Stealer
  • [MD5] 0a92cfb0a0bc8323425bc4a2a3c18693 – .NET Loader
  • [MD5] d93c5f59ddc41313bf36f106a2f1fe17 – PrivateLoader
  • and 2 more hashes

Read more: https://www.esentire.com/blog/fake-browser-updates-distribute-lummac-stealer-amadey-and-privateloader-malware