A new Infostealer called “LummaC2” is being distributed disguised as illegal programs such as cracks and keygens.
Other malware such as CryptBot, RedLine, Vidar, and RecordBreaker (Raccoon V2) are distributed in a similar manner and have been covered here on ASEC Blog.
- Modified CryptBot Infostealer Being Distributed
- New Info-stealer Disguised as Crack Being Distributed
- A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks
It appears that the LummaC2 Stealer has been available for purchase on the dark web since the beginning of this year, and since March, it has been distributed by a threat group disguised as a crack. Although this method of malware distribution is mostly used by RecordBreaker (Raccoon V2), LummaC2 Stealer is also being discovered from time to time. The LummaC2 Stealer was first discovered on March 3rd, and additional distributions were confirmed on the 12th and 20th of the same month, indicating an approximate activity rate of once a week.
Users searching for a crack or serial key for a particular popular software are led to a malicious website. After clicking the Download button on this website, users will be redirected several times before arriving at the page where the malware is distributed. When users access the URL displayed on the web page or click the Download button, they will download the malware in a compressed format. This process can occur through the threat actor’s own established server or services such as MediaFire or MEGA.
The first sample distributed through this method downloads a compressed file called “NewSetupV4-Pass-55551.rar”, which contains another compressed file named “setup.rar”. Upon decompression, “setup.rar” creates LummaC2 disguised as “setupfile.exe”.
Based on the filename of the distributed file, the team presumes that it was downloaded from the webpage depicted in the figure below. Currently, the Vidar malware is being distributed from this page.
To date, LummaC2 has had three different forms when distributed as a crack. Below are details on the primary samples of each type.
- Type that has the same appearance as CryptBot and also installs ClipBanker
|File Size||328,476,672 Bytes|
|Timestamp||2023/03/04 05:22:08 UTC|
2. Type that downloads a malicious DLL from a C2
|File Size||779,218,610 Bytes|
|Timestamp||Manipulated, Collected on 2023/03/12 11:02:59 KST|
3. Type where the distribution file itself is LummaC2
|File Size||762,345,984 Bytes|
|Timestamp||2023/03/02 10:32:26 UTC|
The LummaC2 samples have the following characteristics.
- String obfuscation
The malware performed string obfuscation by incorporating multiple “edx765” strings between the strings used for malicious behavior.
- Code obfuscation
By modifying the values of specific variables and using numerous conditional statements and jump statements for most the code, the malware is able to control the execution flow. It is suspected that this was done to hinder analysis efforts.
- Dynamic API calls
When APIs related to malicious behaviors are used, functions such as Import Table or GetProcAddress are not used, but instead, the loaded target DLL is directly accessed to obtain the API address. The malware only has the calculated value of the function name and finds the function with the same value out of the function names defined in the Export Table of the target DLL. This is a method often used by malware to hide the API used in their activities.
In the early stage of execution, there are 3 functions that appear to be for the purpose of anti-sandbox. When certain conditions are met in each function, a perpetual looping function is executed to crash and terminate the process.
- DLL Loading Check
A crash occurs when a DLL named “ters-alreq-std-v19.dll” is successfully loaded. This DLL does not exist in ordinary systems and is assumed to be for the purpose of evading certain analysis environments (such as sandboxes) or to be used as a kill switch.
- Sleep Function Evasion Check
The Sleep() and GetSystemTimeAsFileTime() functions are used to check the elapsed time value between Sleep functions. A crash occurs if the Sleep function is ignored.
- Account Name and Computer Name Check
A crash occurs if the value from calculating the account and computer names matches a certain value. The values compared to are 0x56CF7626 and 0xB09406C7, which have been confirmed to be “JohnDoe” and “HAL9TH” respectively. These account and computer names are known as Windows Defender emulator environment values. This feature is also included in the Vidar malware which is being distributed in the same attack.
However, this function does not run correctly. While the feature of checking the username is actualized correctly, the computer name string length is compared against the value 7 instead of 6. (Unlike GetUserNameW, the GetComputerNameW function does not include a Null character when returning the string length) This is believed to be an error on the malware creator’s side.
If this feature had been actualized as intended by the threat actor, a crash would have occurred in environments with matching computer and account names.
The reception of commands or configuration values from a C2 has not been confirmed. The Infostealer target is designated by the malware itself and differs slightly with each distribution sample.
After the information is collected, it is compressed into a ZIP and transferred using the following method. The HTTP POST method is used when transferring to the C2, where the path is “/c2sock” and the User-Agent is “TeslaBrowser/5.5”.
“hwid” is the unique identifier for the infected PC, and a number from 1 to 3 is assigned to “pid” according to the type of information that is stolen. “lid” is presumed to be the Lumma ID and is most likely used as the distributed malware’s campaign identifier. The Lumma IDs used in distribution so far are as follows.
The following information is included among the data that is sent to the C2. This string is assumed to be the name and build version of the malware. The recently (March 20) distributed sample also has the same build version.
“LummaC2, Build 20233101”
#Targeted for Theft
The analysis of the information targeted for theft based on the execution flow and strings is as follows. The theft target list can differ per sample.
- Browser Data
Chrome, Chromium, Edge, Kometa, Opera Stable, Opera GX Stable, Opera Neon, Brave-Browser, Comodo Dragon, CocCoc, Firefox
- Browser Extensions
MetaMask, TronLink, RoninWallet, BinanceChainWallet, Yoroi, Nifty, Math, Coinbase, Guarda, EQUAL, JaxxLiberty, BitApp, iWlt, EnKrypt, Wombat, MEWCX, Guild, Saturn, NeoLine, Clover, Liquality, TerraStation, Keplr, Sollet, Auro, Polymesh, ICONex, Nabox, KHC, Temple, TezBox, DAppPlay, BitClip, SteemKeychain, NashExtension, HyconLiteClient, ZilPay, Coin98, Authenticator, Cyano, Byone, OneKey, Leaf, Authy, EOSAuthenticator, GAuthAuthenticator, TrezorPasswordManager, Phantom
- Cryptocurrency Wallet Programs
Binance, Electrum, Ethereum, Exodus, Ledger Live, Atomic, Coinomi
- All txt files up to 2 folders deep in the %UserProfile% directory
- System Information
- Installed Program Information
- Email Clients
Windows Mail, The Bat, Thunderbird, Pegasus, Mailbird, eM Client
- Other Applications
AnyDesk, FileZilla, KeePass, Steam, Telegram,
4589fa36cb0a7210fe79c9a02966a320 (Infostealer/Win.LummaC2.C5394249, 2023.03.13.02)
3f4533e8364f96b90d7fcb413fc8b57c (Infostealer/Win.CryptBot.C5360421, 2023.01.18.00)
9355477f043a6c5c01fcb4cc6a2ea851 (Infostealer/Win.LummaC2.C5394246, 2023.03.13.02)
d2203e004c5b22e2d6a84fcbef36c454 (Infostealer/Win.LummaC2.R562894, 2023.03.15.04)
a4c1335750fa105529f1ddea90b54117 (Infostealer/Win.LummaC2.R562894, 2023.03.21.03)
bf0b20fd593a5e886afef2cad348b079 (Trojan/Win.Generic.C5397321, 2023.03.20.00)
86c8d08a436374893e2280e05aec2f26 (Trojan/Scrip.Clipbanker, 2023.03.21.03)