New Infostealer LummaC2 Being Distributed Disguised As Illegal Cracks

Malware Analysis
1

A new Infostealer called “LummaC2” is being distributed disguised as illegal programs such as cracks and keygens.

Other malware such as CryptBot, RedLine, Vidar, and RecordBreaker (Raccoon V2) are distributed in a similar manner and have been covered here on ASEC Blog.

It appears that the LummaC2 Stealer has been available for purchase on the dark web since the beginning of this year, and since March, it has been distributed by a threat group disguised as a crack. Although this method of malware distribution is mostly used by RecordBreaker (Raccoon V2), LummaC2 Stealer is also being discovered from time to time. The LummaC2 Stealer was first discovered on March 3rd, and additional distributions were confirmed on the 12th and 20th of the same month, indicating an approximate activity rate of once a week.


#Distribution Method

Users searching for a crack or serial key for a particular popular software are led to a malicious website. After clicking the Download button on this website, users will be redirected several times before arriving at the page where the malware is distributed. When users access the URL displayed on the web page or click the Download button, they will download the malware in a compressed format. This process can occur through the threat actor’s own established server or services such as MediaFire or MEGA.

The first sample distributed through this method downloads a compressed file called “NewSetupV4-Pass-55551.rar”, which contains another compressed file named “setup.rar”. Upon decompression, “setup.rar” creates LummaC2 disguised as “setupfile.exe”.

Based on the filename of the distributed file, the team presumes that it was downloaded from the webpage depicted in the figure below. Currently, the Vidar malware is being distributed from this page.

Figure 1. Example of malware distribution page

To date, LummaC2 has had three different forms when distributed as a crack. Below are details on the primary samples of each type.

  1. Type that has the same appearance as CryptBot and also installs ClipBanker
Filename Compressed NewFileV1-Pass_10101.rar
Executable setup.exe
MD5 3f4533e8364f96b90d7fcb413fc8b57c
File Size 328,476,672
Timestamp 2023‎/0‎3/0‎4‎ 05:22:08 UTC

2. Type that downloads a malicious DLL from a C2

Filename Compressed FullFile1-2022-PasS.rar
Executable Setup.exe
MD5 9355477f043a6c5c01fcb4cc6a2ea851
File Size 779,218,610
Timestamp Manipulated, Collected on 2023‎/0‎3/12‎ 11:02:59 KST

3. Type where the distribution file itself is LummaC2

Filename Compressed NewSetupV4-Pass-55551.rar
Executable setupfile.exe
MD5 4589fa36cb0a7210fe79c9a02966a320
File Size 762,345,984
Timestamp 2023‎/0‎3/02‎ 10:32:26 UTC

The LummaC2 samples have the following characteristics.

#Analysis Disruption

  • String obfuscation

The malware performed string obfuscation by incorporating multiple “edx765” strings between the strings used for malicious behavior.

Figure 2. Obfuscated strings
  • Code obfuscation

By modifying the values of specific variables and using numerous conditional statements and jump statements for most the code, the malware is able to control the execution flow. It is suspected that this was done to hinder analysis efforts.

Figure 3. Example of code obfuscation
  • Dynamic API calls

When APIs related to malicious behaviors are used, functions such as Import Table or GetProcAddress are not used, but instead, the loaded target DLL is directly accessed to obtain the API address. The malware only has the calculated value of the function name and finds the function with the same value out of the function names defined in the Export Table of the target DLL. This is a method often used by malware to hide the API used in their activities.

Figure 4. Dynamic API calls
  • Anti-sandbox

In the early stage of execution, there are 3 functions that appear to be for the purpose of anti-sandbox. When certain conditions are met in each function, a perpetual looping function is executed to crash and terminate the process.

  1. DLL Loading Check

A crash occurs when a DLL named “ters-alreq-std-v19.dll” is successfully loaded. This DLL does not exist in ordinary systems and is assumed to be for the purpose of evading certain analysis environments (such as sandboxes) or to be used as a kill switch.

Figure 5. DLL loading check
  1. Sleep Function Evasion Check

The Sleep() and GetSystemTimeAsFileTime() functions are used to check the elapsed time value between Sleep functions. A crash occurs if the Sleep function is ignored.

Figure 6. Sleep evasion check
  1. Account Name and Computer Name Check

A crash occurs if the value from calculating the account and computer names matches a certain value. The values compared to are 0x56CF7626 and 0xB09406C7, which have been confirmed to be “JohnDoe” and “HAL9TH” respectively. These account and computer names are known as Windows Defender emulator environment values. This feature is also included in the Vidar malware which is being distributed in the same attack.

However, this function does not run correctly. While the feature of checking the username is actualized correctly, the computer name string length is compared against the value 7 instead of 6. (Unlike GetUserNameW, the GetComputerNameW function does not include a Null character when returning the string length) This is believed to be an error on the malware creator’s side.

Figure 7. Code to check the computer name

If this feature had been actualized as intended by the threat actor, a crash would have occurred in environments with matching computer and account names.


#C2 Communication

The reception of commands or configuration values from a C2 has not been confirmed. The Infostealer target is designated by the malware itself and differs slightly with each distribution sample.

After the information is collected, it is compressed into a ZIP and transferred using the following method. The HTTP POST method is used when transferring to the C2, where the path is “/c2sock” and the User-Agent is “TeslaBrowser/5.5”.

Figure 8. Example of data transmitted to the C2

“hwid” is the unique identifier for the infected PC, and a number from 1 to 3 is assigned to “pid” according to the type of information that is stolen. “lid” is presumed to be the Lumma ID and is most likely used as the distributed malware’s campaign identifier. The Lumma IDs used in distribution so far are as follows.

  • iOqpIq
  • RIIoQe–p5
  • RIIoQe–p10

The following information is included among the data that is sent to the C2. This string is assumed to be the name and build version of the malware. The recently (March 20) distributed sample also has the same build version.

“LummaC2, Build 20233101”

Figure 9. Code that generates C2 transfer data

#Targeted for Theft

The analysis of the information targeted for theft based on the execution flow and strings is as follows. The theft target list can differ per sample.

  1. Browser Data
    Chrome, Chromium, Edge, Kometa, Opera Stable, Opera GX Stable, Opera Neon, Brave-Browser, Comodo Dragon, CocCoc, Firefox
  2. Browser Extensions
    MetaMask, MetaMask, TronLink, RoninWallet, BinanceChainWallet, Yoroi, Nifty, Math, Coinbase, Guarda, EQUAL, JaxxLiberty, BitApp, iWlt, EnKrypt, Wombat, MEWCX, Guild, Saturn, NeoLine, Clover, Liquality, TerraStation, Keplr, Sollet, Auro, Polymesh, ICONex, Nabox, KHC, Temple, TezBox, DAppPlay, BitClip, SteemKeychain, NashExtension, HyconLiteClient, ZilPay, Coin98, Authenticator, Cyano, Byone, OneKey, Leaf, Authy, EOSAuthenticator, EOSAuthenticator, GAuthAuthenticator, TrezorPasswordManager, Phantom, MetaMask, MetaMask, TronLink, RoninWallet, BinanceChainWallet, Coinbase, GAuthAuthenticator, EOSAuthenticator, GAuthAuthenticator, TrezorPasswordManager, Coinbase, MetaMask, MetaMask, TronLink, RoninWallet, BinanceChainWallet, TrezorPasswordManager
  3. Cryptocurrency Wallet Programs
    Binance, Electrum, Ethereum, Exodus, Ledger Live, Atomic, Coinomi
  4. Screenshots
  5. All txt files up to 2 folders deep in the %UserProfile% directory
  6. System Information
  7. Installed Program Information
  8. Email Clients
    Windows Mail, The Bat, Thunderbird, Pegasus, Mailbird, eM Client
  9. Other Applications
    AnyDesk, FileZilla, KeePass, Steam, Telegram,

[IOC Info]

  • MD5

4589fa36cb0a7210fe79c9a02966a320 (Infostealer/Win.LummaC2.C5394249, 2023.03.13.02)
3f4533e8364f96b90d7fcb413fc8b57c (Infostealer/Win.CryptBot.C5360421, 2023.01.18.00)
9355477f043a6c5c01fcb4cc6a2ea851 (Infostealer/Win.LummaC2.C5394246, 2023.03.13.02)
d2203e004c5b22e2d6a84fcbef36c454 (Infostealer/Win.LummaC2.R562894, 2023.03.15.04)
a4c1335750fa105529f1ddea90b54117 (Infostealer/Win.LummaC2.R562894, 2023.03.21.03)
bf0b20fd593a5e886afef2cad348b079 (Trojan/Win.Generic.C5397321, 2023.03.20.00)

86c8d08a436374893e2280e05aec2f26 (Trojan/Scrip.Clipbanker, 2023.03.21.03)

  • C2

hxxp://82.118.23.50/c2sock

The post New Infostealer LummaC2 Being Distributed Disguised As Illegal Cracks appeared first on ASEC BLOG.

Article Link: New Infostealer LummaC2 Being Distributed Disguised As Illegal Cracks - ASEC BLOG