Ontinue has discovered a new LummaC2 malware variant with increased activity, using PowerShell for initial infection and employing obfuscation and process injection to steal sensitive data. This version utilizes advanced techniques for detecting human users, posing significant risks to cybersecurity.
Zürich, Switzerland-based cybersecurity firm Ontinue has uncovered a new sample of the LummaC2 malware (also known as Lumma information stealer), revealing a high uptick in its activity in recent weeks. This variant leverages PowerShell for initial infection and employs a combination of obfuscation and process injection to steal sensitive data.
The malware, initially detected through a series of PowerShell commands, downloads and executes a payload on the targeted endpoint. Ontinue’s analysis delves into the malware’s stages, from the initial PowerShell command to the subsequent payload decryption and execution, providing a detailed look at the threat actor’s tactics, techniques, and procedures (TTPs).
What is LummaC2?
Lumma is a C-based information-stealing malware that has been observed being used as Malware-as-a-Service (MaaS) since 2022. Once deployed, Lumma steals sensitive data from the infected system and exfiltrates it to a command and control server.
In January 2024, Lumma was discovered to be spreading through cracked software distributed via compromised YouTube channels. Earlier, in November 2023, researchers had identified a new version of LummaC2, called LummaC2 v4.0, which was stealing user data using trigonometric techniques to detect human users.
I hereby confirm. https://t.co/1q4cARQLDM pic.twitter.com/GEBzqJeaSs
— Waqas (@WAK4S) December 31, 2023
Key Findings
According to Ontinue’s technical research shared with Hackread.com ahead of publication on Wednesday, the new malware sample employs a PowerShell-encoded command to download LummaC2 malware, which is obfuscated but can be decoded to reveal a series of steps leading to the execution of a second-stage payload. This payload is encrypted using AES, with the decryption key embedded within the PowerShell command, allowing analysts to examine the malicious code.
The second stage of the malware, a PE file, injects malicious code into the legitimate Windows process “dllhost.exe,” enabling command and control communication, data exfiltration, and ensuring persistence by writing to the registry.
The malware communicates with a Command and Control (C2) server located at the IP address 188.68.22048, using HTTP POST requests to the endpoint /cfg, indicating its role in data exfiltration or command execution. The malware also employs a high level of obfuscation and techniques like masquerading to evade detection, including using a custom User-Agent string to avoid being identified.
Mitigation
To mitigate these threats, organizations should deploy and configure Endpoint Detection and Response (EDR) solutions to detect suspicious activities such as process injection, unusual process execution, and file modifications. Implementing Attack Surface Reduction (ASR) rules can block potentially malicious behaviours, such as executable content from email clients, protect against credential theft, and block executables that don’t meet specific criteria.
Additionally, Ontinue has identified various Indicators of Compromise (IOCs), including URLs, IP addresses, and file names associated with this LummaC2 variant, which can be used to proactively detect and block malicious activities.
This new LummaC2 variant highlights the ongoing threat posed by information-stealing malware and the need for organizations to implement robust security measures to protect against these attacks. The findings from Ontinue provide valuable insights into the tactics employed by threat actors and can help security professionals stay ahead of these growing threats.