LummaC2 is a new Infostealer sold on the dark web and spread by a threat group disguising it as illegal cracks and keygens. The campaign uses obfuscation, anti-sandbox checks, and C2 communications to exfiltrate data from targeted browsers and wallet apps. #LummaC2 #RaccoonV2 #Vidar #CryptBot
Keypoints
- The LummaC2 stealer is marketed on the dark web and distributed by actors posing as crack distributors since early 2023.
- Initial distribution leads users to malicious pages via cracked software prompts, with downloads often routed through services like MediaFire or MEGA.
- Distributions occur in three forms, including a CryptBot-like variant, a DLL download from C2, and the payload itself masquerading as a setup file.
- LummaC2 employs string and code obfuscation, dynamic API resolution, and multiple anti-analysis checks to hinder security researchers.
- Communications to C2 involve ZIP-compressed data sent via HTTP POST to /c2sock with a TeslaBrowser User-Agent, including identifiers like hwid, pid, and lid.
- The stealer targets a wide range of data, including browser data, crypto wallets, screenshots, system information, installed programs, email clients, and other apps.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – The malware is downloaded after users click on cracked software pages and are prompted to download a compressed file; quote: “When users access the URL displayed on the web page or click the Download button, they will download the malware in a compressed format.”
- [T1036] Masquerading – LummaC2 is distributed disguised as illegal programs such as cracks and keygens; quote: “distributed disguised as illegal programs such as cracks and keygens.”
- [T1027] Obfuscated/Compressed Files and Information – The sample uses string obfuscation and obfuscated strings like “edx765”; quote: “String obfuscation” and “edx765” strings between malicious content.
- [T1106] Native API – Dynamic API resolution is used by directly accessing the target DLL’s export table rather than Import Table/GetProcAddress; quote: “the loaded target DLL is directly accessed to obtain the API address.”
- [T1497] Virtualization/Sandbox Evasion – Anti-sandbox checks are employed, including DLL loading checks, sleep evasion, and account/computer name checks; quote: “3 functions that appear to be for the purpose of anti-sandbox” and “DLL named ‘ters-alreq-std-v19.dll’.”
- [T1560.001] Archive Collected Data – Data is compressed into ZIP before exfiltration; quote: “information is compressed into a ZIP and transferred.”
- [T1071.001] Web Protocols – C2 communication uses HTTP POST to /c2sock with User-Agent “TeslaBrowser/5.5”; quote: “The HTTP POST method is used when transferring to the C2, where the path is ‘/c2sock’ and the User-Agent is ‘TeslaBrowser/5.5’.”
- [T1555.003] Credentials from Web Browsers – The theft targets include browser data and wallet extensions; quote: “Browser Data Chrome, Chromium, Edge, Kometa, Opera Stable,…”
- [T1518] Software Discovery – Data indicates installed programs and related info; quote: “Installed Program Information” and “Software Discovery” context.
- [T1082] System Information Discovery – The targeted data includes system information; quote: “System Information” in the Targeted for Theft list.
- [T1113] Screen Capture – Screenshots are among the targeted data; quote: “Screenshots” in the Targeted for Theft list.
Indicators of Compromise
- [File Hash] 4589fa36cb0a7210fe79c9a02966a320, 3f4533e8364f96b90d7fcb413fc8b57c, and 2 more hashes (Infostealer/Win.LummaC2.C5394249 and related variants)
- [IP Address] 82.118.23.50 – C2 infrastructure endpoint (c2sock)
- [URL] hxxp://82.118.23.50/c2sock – C2 communication endpoint
- [Campaign/ID] Lumma IDs: iOqpIq, RIIoQe–p5, RIIoQe–p10
Read more: https://asec.ahnlab.com/en/50594/