Distribution of LummaC2 Infostealer Based on Legitimate Programs
LummaC2 is an Infostealer actively being distributed while being disguised as illegal software such as cracks, and its distribution and creation methods are changing continuously. It has recently been distributed by being inserted into legitimate programs, so caution is needed.
Figure 1. Malware distribution page examples
When LummaC2 is executed, sensitive information such as account credentials stored in browsers, email information, cryptocurrency wallet information, and auto-login program information is sent to the attacker’s C&C server. The stolen information may be traded on the dark web or used for additional hacking attacks, leading to secondary damage. Due to information stolen from personal PCs, breaches where even corporate systems are attacked are consistently occurring.
Previously, malware strains were usually distributed by being created with malware-specific builders and disguising only the resource parts such as version and icon information to appear as legitimate files. Because the internal code and data are completely different despite seemingly having normal resources, they could be easily identified.
However, the type currently being distributed is created by inserting malware strains into certain parts of legitimate files. In such cases, most of the file’s content and structure are identical to legitimate files, making it difficult for users to detect the malware.
Figure 2. Modified code (left: malicious, right: legitimate)
Threat actors can increase the size of the last section of a legitimate file to insert a large amount of code and data, modifying a part of the code area to execute the inserted code. The created malware is disguised using resource information such as the version, icon, and certificate of another legitimate file.
Unlike modifying resource areas unrelated to execution, expanding sections and modifying code areas are complex processes as one has to take many points such as branch structure, thread execution flow, and the size of the original code into consideration. Nevertheless, threat actors seem to use this method to increase the chances of infection.
Figure 3. Modified function call (left: malicious, right: legitimate)
It is likely that the threat actors are randomly selecting easily accessible programs to create malware strains. Recently, a malware strain disguised as well-known Korean software was distributed.
Figure 4. An example of malware disguised as well-known Korean software
As for the first sample, it inserted malware into a global audio edit program and used the version information and signature (not a valid one) of a Korean audio player program and the icon of a Korean open-source image editing program.
When the malware is executed, it runs choice.exe and injects the code. It then creates and runs a legitimate AutoIT file with a ‘.pif’ extension in the Temp path and injects the LummaC2 malware.
Figure 5. Process execution flow
For the second sample, it uses the file content, certificate, version, and icon of different legitimate programs. When executed, LummaC2 is executed without a complex injection process.
As you can see, threat actors are distributing malware strains that are intricately disguised with their methods to hide malware constantly evolving. Such a change is interpreted as an attempt to make it difficult for security companies to detect malware rather than to deceive users. At AhnLab, the process of collecting, analyzing, and diagnosing malware distributed in this manner is automated: samples are collected immediately when a malware strain is executed and the C&C server is analyzed and blocked.
Files downloaded from untrusted web pages, compressed with passwords, or having invalid signatures may end up being malware strains, so special caution is needed.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
