Cybersecurity experts recently discovered a more advanced variant of the LummaC2 malware that has taken a unique approach by using the Steam gaming platform as a Command-and-Control (C2) server. This updated method represents a significant evolution in the malware’s distribution and operational techniques, posing a greater threat to users and organizations globally.

Originally, LummaC2 is known as an information-stealing malware that disguises itself as illegal software such as cracks, keygens, and game hacks. These malicious files are circulated through various means, including distribution sites, YouTube, LinkedIn, and search engine advertisements, utilizing SEO poisoning tactics. More recently, the malware has been camouflaged as legitimate applications like Notion, Slack, and Capcut, expanding its potential targets.

According to reports from ASEC ahnlab, LummaC2 was initially distributed as a single executable (EXE) file or through DLL-SideLoading, a method that allows a malicious DLL to be compressed with a legitimate EXE file to execute its payload stealthily. In its latest iteration, the malware has adopted a new strategy by leveraging the popular Steam gaming platform to gather C2 domain information.

By exploiting Steam, LummaC2 can dynamically change the C2 domain, enhancing its resilience and evading detection. This technique is reminiscent of the Vidar malware, which has a history of using legitimate platforms like TikTok, Mastodon, and Telegram for similar purposes.

Upon execution, LummaC2 decrypts its encrypted strings to extract C2 domain information. If the embedded C2 domains are inaccessible, the malware initiates a Steam connection routine where it retrieves a Steam URL from executable code. This URL leads to a Steam account profile page created by the attacker, from which the malware obtains a string using the Caesar cipher encryption method to reveal the C2 domain.

Using a legitimate platform like Steam enables LummaC2 to maintain flexibility and easily change C2 domains, reducing suspicion and increasing its success rate. Once decrypted, the malware connects to the C2 server, downloads an encrypted settings JSON file, and carries out various malicious activities based on the settings, including stealing information from various programs and sources.

The exploitation of Steam as a C2 server by LummaC2 malware signifies a significant escalation in cyber threats. By utilizing a widely used platform, attackers can manage C2 domains dynamically, making it harder for security systems to detect and block the malware. This emphasizes the importance of enhanced vigilance and robust security measures to combat evolving cyber threats effectively.

To mitigate the risks posed by LummaC2 and similar malware, users and organizations are advised to refrain from downloading illegal software, use reputable security software, keep all programs updated, educate users about online safety practices, and implement network monitoring tools. By adhering to these recommendations, individuals and entities can enhance their defenses against sophisticated cyber threats like LummaC2.

Lidhja e burimit