Full Report
LummaC2 is an Infostealer actively being distributed while being disguised as illegal software such as cracks, and its distribution and creation methods are changing continuously. It has recently been distributed by being inserted into legitimate programs, so caution is needed. Figure 1. Malware distribution page examples When LummaC2 is executed, sensitive information such […] 게시물 Distribution of LummaC2 Infostealer Based on Legitimate Programs이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: LummaC2
## Overview
LummaC2 is an actively distributed Infostealer malware known for continuously evolving its distribution and creation methods. It steals sensitive information from compromised systems, including browser credentials, email information, cryptocurrency wallet data, and auto-login program details, sending this data to attacker-controlled C&C servers.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Likely Windows (inferred from process execution and information stolen from standard PC software like browsers and Windows-based credentials/programs)
- Capabilities: Information theft (credentials, crypto wallets), persistence, code injection, sophisticated file disguise.
- First Seen: Not specified in the text.
## MITRE ATT&CK Mapping
Based on its described behavior (stealing data and executing code):
- **TA0009 - Collection**
- T1005 - Data from Local System
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (via embedding, section expansion)
- **TA0003 - Persistence** (Inferred via execution flow, though specifics are not detailed)
- T1547.001 - Registry Run Keys / Startup Folder (Inferred, common for stealers)
- **TA0002 - Execution**
- T1055 - Process Injection (Observed in one sample)
## Functionality
### Core Capabilities
- Stealing account credentials stored in browsers.
- Exfiltrating email information.
- Stealing cryptocurrency wallet information.
- Stealing auto-login program information.
### Advanced Features
- **Sophisticated Disguise:** Current variants are embedded *inside* legitimate files, often by expanding the last section of the legitimate file and injecting malicious code into the modified code area.
- **Resource Masquerading:** Utilizes legitimate file resources (version, icon, signature) of other software (including specific Korean software examples) to appear trustworthy.
- **Code Injection:** In some variants, it executes another process (`choice.exe`) and injects the LummaC2 payload into a legitimate-looking AutoIT file with a `.pif` extension created in the Temp path.
- **Evasion Focus:** The complexity of the embedding suggests the primary goal is to bypass security product detection rather than just deceiving end-users.
## Indicators of Compromise
- File Hashes:
- 2871fb22369890c609fdb067db060c42
- 3079439be9235f321baab3ae204a7b8b
- 4f8ac16139c29a03686004904cf9ce76
- 5845951ae9a216178404ec2e66d1872c
- 59d5751d980fae8a556e53a4282c69ed
- File Names: `choice.exe`, files with `.pif` extensions created in the Temp directory.
- Registry Keys: Not specified.
- Network Indicators:
- hxxps://authorisev[.]site/api
- hxxps://bakedstusteeb[.]shop/api
- hxxps://bringlanejk[.]site/api
- hxxps://conceszustyb[.]shop/api
- hxxps://contemteny[.]site/api
- Behavioral Indicators: Modification of file structure by expanding sections, execution of legitimate files containing injected code, creation of files with `.pif` extension in Temp directory, process injection into other running processes.
## Associated Threat Actors
- Not explicitly named, but associated with threat actors who trade stolen data on the dark web or use it for secondary hacking attacks.
## Detection Methods
- Signature-based detection: Possible via known file hashes, but mutation is expected due to dynamic embedding techniques.
- Behavioral detection: Crucial for monitoring section expansion, code injection into legitimate processes, and suspicious file creation (e.g., `.pif` files in Temp).
- YARA rules: Not specified, but could target unique embedded code patterns or the C2 communication structure.
## Mitigation Strategies
- Exercise extreme caution with files downloaded from untrusted web pages.
- Be wary of compressed files distributed with passwords (often used to bypass initial gateway scanning).
- Exercise caution regarding files that possess invalid or unexpected digital signatures.
- Implement robust Endpoint Detection and Response (EDR) capable of monitoring for code injection and file section manipulation.
## Related Tools/Techniques
- Other Infostealers that use sophisticated file packing or embedding techniques to evade static analysis.
- Techniques involving section manipulation and file structure modification (Advanced File Format Manipulation).