Zürich, Switzerland – In recent weeks, the cybersecurity firm Ontinue has detected a surge in the activity of a new variant of the LummaC2 malware, known for its information-stealing capabilities. This particular iteration of the LummaC2 malware is utilizing PowerShell for initial infection, demonstrating a higher level of sophistication than previous versions. By employing a combination of obfuscation and process injection techniques, this malware variant poses a significant threat to cybersecurity.
The LummaC2 malware, also referred to as the Lumma information stealer, is a C-based malware that has been observed operating as Malware-as-a-Service (MaaS) since 2022. This malicious software is designed to infiltrate targeted systems, extract sensitive data, and transmit it to a command and control server under the control of threat actors.
In January 2024, reports surfaced linking the spread of Lumma to compromised YouTube channels distributing cracked software. This method of dissemination highlights the evolving tactics employed by cybercriminals to propagate malware and target unsuspecting users. Researchers previously identified a version of LummaC2, labeled LummaC2 v4.0, in November 2023. This variant was specifically engineered to employ trigonometric techniques to detect human users, showcasing the adaptability and ingenuity of malicious actors in designing sophisticated malware.
Ontinue’s technical analysis of the new LummaC2 variant sheds light on the malware’s intricate infection process. Initially, the malware uses PowerShell-encoded commands to execute a series of steps that culminate in the deployment of a second-stage payload. This payload, encrypted using AES, is decrypted using a key embedded within the PowerShell command. The subsequent phase of the malware involves injecting malicious code into the legitimate Windows process “dllhost.exe,” enabling communication with a command and control server and facilitating data exfiltration, command execution, and persistent presence on the infected system.
The LummaC2 variant communicates with a command and control server located at the IP address 188.68.22048, utilizing HTTP POST requests to transmit data and receive instructions. To avoid detection, the malware employs advanced obfuscation techniques, including masquerading and custom User-Agent strings. These measures are intended to evade traditional security measures and prolong the malware’s presence on compromised systems.
To counter the threat posed by the LummaC2 variant, organizations are advised to deploy and configure Endpoint Detection and Response (EDR) solutions. These tools can help identify suspicious activities like process injection, abnormal process executions, and unauthorized file modifications. Implementing Attack Surface Reduction (ASR) rules can further enhance security by blocking potentially malicious behaviors and preventing unauthorized executions.
Additionally, Ontinue has compiled a list of Indicators of Compromise (IOCs) associated with the LummaC2 variant, including URLs, IP addresses, and file names. By proactively monitoring and blocking these IOCs, organizations can strengthen their defenses against this evolving malware threat.
In conclusion, the discovery of this new LummaC2 variant underscores the persistent threat posed by information-stealing malware and the importance of implementing robust cybersecurity measures. The insights provided by Ontinue’s research offer valuable information to security professionals, enabling them to stay ahead of evolving cyber threats and safeguard their organizations against malicious actors’ tactics.