LummaC2 is an Infostealer that is being actively distributed, disguised as illegal programs (e.g. cracks, keygens, and game hacking programs) available from distribution websites, YouTube, and LinkedIn using the SEO poisoning technique. Recently, it has also been distributed via search engine ads, posing as web pages of Notion, Slack, Capcut, etc.
The malware’s execution method has been constantly changing, with the current versions distributed either as a single EXE file or as a compressed file containing a malicious DLL and the legitimate EXE that runs it by using the DLL side-loading technique.
Figure 1. Distributing as a singular EXE file (left) and distributing as a DLL file and exe (right)
- Reference: Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking)
As shown above, LummaC2 has changed dynamically and its latest variant has been found abusing Steam (a video game platform) as a means to acquire C2 domains. Previously, the C2 information was embedded inside the malware’s samples. However, the latest variant can abuse a legitimate website and change the C2 to a specific domain at the moment the threat actor desires.
This method is similar to the tactics used by Vidar, which has a history of abusing various legitimate platforms such as Steam, TikTok, Mastodon, and Telegram to acquire the C2 information. To learn more about this case, see the relevant post below.
- Reference: Vidar Stealer Exploiting Various Platforms
Figure 2. The Steam page abused by LummaC2 (left) and the page abused by Vidar (right)
Steam is a legitimate domain with a substantial user base, meaning that threat actors can use it to reduce suspicions and easily change to another C2 when their current one is compromised. By doing so, they can potentially increase the success rate of attacks.
Upon execution, LummaC2 decrypts the internally encrypted strings and retrieves the C2 domain information. The strings are encrypted using Base64 and custom algorithms with each sample containing 8-10 C2 domains on average.
Figure 3. Encrypted C2 domains
Figure 4. C2 domain decryption codes
If the sample cannot access all the C2 domains it owns, it accesses the Steam connection routine. Steam URLs are unlike C2 domains in that they are saved in the form of execution codes and have different decryption algorithms.
Figure 5. Decrypting a Steam URL
hxxps://steamcommunity.com/profiles/76561199724331900 |
This Steam URL is a Steam account profile page likely created by the threat actor. After connecting to the web page, the sample parses the “actual_persona_name” tag to obtain strings and decrypts the strings using the Caesar cipher method to obtain C2 domains. This is the part that differentiates it from the Steam page of Vidar that is written in plaintext.
Figure 6. Steam account page source
Figure 7. Steam account name string decryption codes
cptyqzcnpotcpnezcjho.dsza → reinforcedirectorywd.shop |
The samples that surfaced via the same distribution method have been utilizing one Steam account page. The C2 domain obtained from this page remains the same but can change at any time according to the threat actor’s discretion.
After carrying out this behavior, the malware connects to the actual C2 and downloads and decrypts the encrypted settings JSON file. Following the details in the settings, the malware proceeds to carry out malicious behaviors. As of current settings, the malware steals wallet program information, browser stored information, password storage program information, TXT files of the user directories, messenger program information, FTP program information, VPN program information, remote program information, memo program information, email program information, and browser extension plugin (crypto wallet) information and sends them to C2.
Figure 8. A part of LummaC2 settings JSON
The list of programs targeted for infostealing extracted from the settings data is as follows:
Programs targeted for infostealing
[Application]
Wallets/Ethereum
Wallets/Exodus
Wallets/Ledger Live
Wallets/Atomic
Wallets/Coinomi
Wallets/Authy Desktop
Wallets/Bitcoin core
Wallets/Binance
Wallets/JAXX New Version
Wallets/Electrum
Wallets/Electrum-LTC
Wallets/ElectronCash
Wallets/Guarda
Wallets/DashCore
Wallets/Wasabi
Wallets/Daedalus
Chrome
Chrome Beta
Opera
Opera Neon
Opera GX Stable
Edge
Brave
EpicPrivacyBrowser
Vivaldi
Maxthon
Iridium
AVG Secure Browser
QQBrowser
360Browser
ZiNiao Browser
CentBrowser
Chedot
CocCoc
Mozilla Firefox
Waterfox
Pale Moon
Applications/KeePass
Applications/1Password
Applications/Bitwarden
Applications/NordPass
Important Files/Profile (TXT files containing the keywords seed, pass, ledger, trezor, metamask, bitcoin, words, and wallet in the user directory)
Important Files/Desktop (TXT files in desktop)
Applications/Telegram
Applications/Telegram
Applications/Telegram
Applications/FileZilla
Applications/TotalCommander
Applications/AnyClient
Applications/3D-FTP
Applications/SmartFTP
Applications/FTPGetter
Applications/FTPbox
Applications/FTPInfo
Applications/FTPRush
Applications/FTP Commander Deluxe
Applications/FTP Manager Lite
Applications/Auto FTP Manager
Applications/OpenVPN
Applications/NordVPN
Applications/ProtonVPN
Applications/AnyDesk
Applications/Azure
Applications/Azure
Applications/Azure
Notes (MicrosoftStickyNotes)
Notes/Notezilla
Mail Clients/TheBat
Mail Clients/Pegasus
Mail Clients/Mailbird
Mail Clients/EmClient
[Browser Extention]
MetaMask
1Password
Braavos
Argent X
Coinhub
Leap Wallet
Safepal
LastPass
Ronin Wallet
Evernote
MultiversX Wallet
ForniterWallet
Fluvi Wallet
Glass Wallet
Morphis Wallet
XVerse Wallet
Compas Wallet
Havah Wallet
Sui Wallet
Venom Wallet
MetaMask
Trust Wallet
TronLink
Ronin Wallet
OKX
Binance Chain Wallet
Yoroi
Nifty
Math
Coinbase
Guarda
EQUA
Jaxx Liberty
BitApp
iWlt
EnKrypt
Wombat
MEW CX
Guild
Saturn
NeoLine
Clover
Rabby
Pontem
Martian
Bitwarden
Nami
Petra
Sui
ExodusWeb3
Sub
PolkadotJS
Talisman
CryptoCom
Liquality
Terra Station
Keplr
Sollet
Auro
Polymesh
ICONex
Nabox
KHC
Temple
TezBox
DAppPlay
BitClip
Steem Keychain
Nash Extension
Hycon Lite Client
ZilPay
Coin98
Authenticator
Cyano
Byone
OneKey
Leaf
Solflare
Magic Eden
Backpack
Authy
EOS Authenticator
GAuth Authenticator
Trezor Password Manager
Phantom
UniSat
Rainbow
Bitget Wallet
MetaMask
It is crucial for users to exercise caution as threat actors employ diverse tactics to engage in malicious behaviors, including those explained in this post. Even the behavior of accessing legitimate web pages could potentially be a trace of malware infection. Users must be cautious when running files downloaded from untrusted web pages and avoid using illegal programs.
[File Detection]
– Infostealer/Win.LummaC2.C5651462
– Infostealer/Win.LummaC2.C5649883
[IOC Info]
– MD5s
9a8cf58306ed35513e896e573c2a470f (RegisterIdr.dll)
f88602927fbdea9d9fa84f2415676a3c (exe)
– Relevant Data Files
5aa70336af6cdb81bd09749c1b484f70 (workstudy.ics)
9434678b82702b4b2a639ccc5304a527 (paseo.ini)
– C2s
hxxps://sicillyosopzv.shop/api
hxxps://unseaffarignsk.shop/api
hxxps://shepherdlyopzc.shop/api
hxxps://upknittsoappz.shop/api
hxxps://liernessfornicsa.shop/api
hxxps://outpointsozp.shop/api
hxxps://callosallsaospz.shop/api
hxxps://lariatedzugspd.shop/api
hxxps://indexterityszcoxp.shop/api
hxxps://steamcommunity.com/profiles/76561199724331900
hxxps://reinforcedirectorywd.shop/api
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post LummaC2 Malware Abusing the Game Platform ‘Steam’ appeared first on ASEC BLOG.
Article Link: LummaC2 Malware Abusing the Game Platform 'Steam' - ASEC BLOG