LummaC2 is an evolving piece of malware designed for information theft, particularly targeting crypto wallets and sensitive user data. It has adopted advanced obfuscation techniques and exploitations of recent vulnerabilities to evade detection. Its modular architecture allows flexible adaptations for specific attack scenarios, emphasizing the importance of regular software updates to mitigate such threats. Affected: malware, crypto wallets, web browsers, user data
Keypoints :
- LummaC2 is an information stealer written in C that has been sold on underground forums since December 2022.
- Utilizes advanced obfuscation and anti-sandbox techniques to evade detection and analysis.
- Targets crypto wallets, browsers, and two-factor authentication extensions to steal sensitive information.
- Relies on sophisticated networking communications with its Command and Control (C2) server, performing exfiltration via HTTP POST requests.
- Offers different versions for sale, with prices ranging from 0 to ,000 depending on features.
- Employed methods like API hashing to conceal functionality from static analysis tools.
- Targets specific cryptocurrencies including Binance, Electrum, and Ethereum, as well as various web browsers.
- Adapts its tactics continuously, making timely software updates crucial for defense.
- Exfiltrates data using a ZIP compression method over HTTP, sending sensitive files back to the C2.
MITRE Techniques :
- T1071.001 β Application Layer Protocol: LummaC2 communicates with its C2 server using HTTP to exfiltrate sensitive data.
- T1005 β Data from Local System: Collects data from the userβs machine including hardware information and important files.
- T1567.002 β External Remote Services: Utilizes APIs to facilitate data transmission to the C2 server.
- T1068 β Exploitation for Privilege Escalation: Exploits vulnerabilities found in updated software systems.
- T1486 β Data Encrypted for Impact: Compresses stolen data in ZIP files prior to exfiltration.
Indicator of Compromise :
- [Hash] 277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf
- [C2] 195[.]123[.]226[.]91
Full Story: https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer/