LummaC2 Stealer: A Potent Threat To Crypto Users
Published 03/21/2023
Originally published by Cyble.
New Stealer Targeting Crypto Wallets and 2FA Extensions of Various Browsers
During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine.
The figure below shows the dark web post by the Threat Actors.
Figure 1 – Dark Web Post for LummaC2 Stealer
The post also mentioned the link to LummaC2 Stealer’s seller website, which is written in Russian. The website also offers various purchasing options for potential Threat Actors(TAs), with prices ranging from $250 to $20000 depending on the plan.
The image below shows the website where the stealer is available for sale.
Figure 2 – LummaC2 Stealer Sellers Website
In addition, Threat Actors (TAs) behind the LummaC2 Stealer have created two Telegram channels in Russian: one for sharing information about the stealer and one for reporting bugs in the malware.
Figure 3 – Telegram Post by the Threat Actors
The researchers at CRIL found two active Command and Control servers connected to the LummaC2 Stealer.
The figure below illustrates the IP addresses of these servers, one located in Bulgaria and the other in Germany.
Figure 4 – LummaC2 Stealer C&C IPs
The figure below shows the login page of the LummaC2 Stealer’s Command and Control (C&C) server.
Figure 5 – LummaC2 C&C panel Login Page
Technical Details
The LummaC2 Stealer is a 32-bit GUI type executable with sha256 d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264.
The figure below shows the additional file details of the LummaC2 stealer executable.
Figure 6 – File Details of LummaC2 Stealer
Detection Evasion:
The stealer has many Obfuscated strings that are being covered by a random string, “edx765”, to evade detection. Upon execution, the stealer passes the obfuscated string to a function that strips the random string and delivers the original string.
The figure below shows the routine for string manipulation.
Figure 7 – Assembly Code to Replace the edx765 String
Collects System Information:
After getting the required strings, the malware resolves the APIs. It starts extracting multiple pieces of information from the system, including LummaC2 Build, Lumma ID, Hardware ID, Screen Resolution, System Language, CPU Name, and Physical Memory. The malware stores this information in the memory under the name system.txt.
The below figure shows the code snippet of malware for collecting system information.
Figure 8 – System Information Extracted by the Stealer
File Grabber:
The stealer now enumerates the %userProfile% directory and grabs .txt files from the Victims machine. These grabbed files are stored in the memory under the name “Important Files/Profile” for exfiltration.
Wallets:
The stealer also targets crypto wallets such as Binance, Electrum, and Ethereum and collects sensitive information from the victim’s machine. The below figure shows the code snippet of stealers targeting crypto wallets.
Figure 9 – The Stealer Targeting Wallets
After collecting the victim’s wallet and system details, the stealer sends this information to its C&C server, as shown below.
Figure 10 – Initial C&C Communication of the Stealer
Browsers:
After sending the stolen information, the stealer checks for the following browsers installed on the system: Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, and Mozilla Firefox and steals sensitive information from the browsers.
The figure below shows the code to check the browsers.
Figure 11 – Stealer Checking for the Browsers in System
Crypto Wallets and 2FA Extensions:
The stealer now searches for more information associated with the browser, such as crypto wallet and two-factor authentication (2FA) extensions that may have been installed.
The figure below shows the wallets and 2FA extensions that the stealer targets.
Figure 12 – Stealer Targeting Crypto Wallet And 2FA Extensions
In addition, the stealer can also steal browser history, login information, network cookies, and more from the system, as shown below.
Figure 13 – Stealer Targeting Sensitive Browser Information
Command & Control Communication
Finally, the stealer encrypts the data obtained from the infected system and sends it to the C&C server, as shown below.
The figure below depicts the C&C communication of the stealer.
Figure 14 – C&C Communication of the LummaC2 Stealer
Conclusion
LummaC2 behaves in a manner comparable to other stealer-type malware, which can take away both system and sensitive data from the victim’s machine. These dangerous programs usually have the capacity to take information from web browsers and target Crypto wallets and 2FA extensions.
The additional information stored on web browsers, such as login credentials, PII, and financial information, can be further leveraged to conduct fraud activities as well.
Threat actors can use the stolen data to steal cryptocurrencies from the victim’s accounts, or alternatively, they can sell this data to other threat actors for financial gain.
CRIL continuously monitors emerging threats and will continue to keep readers informed.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Malware Attacks
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
Users Should Take the Following Steps After the Malware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Malware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Monetary loss.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Defense Evasion | T1140 T1562 | Deobfuscate/Decode Files or Information Impair Defences |
Discovery | T1082 T1083 | System Information Discovery File and Directory Discovery |
Collection | T1119 T1005 | Automated Collection Data from the Local System |
Command and Control | T1071 | Application Layer Protocol |
Exfiltration | T1020 | Automated Exfiltration |
Indicators of Compromise (IoCs)
Indicators | Indicator Type | Description |
1995a54dba0e05d80903d3d210c1e3da c43316ddcb51e143ab53f996587c23ea4985f6ea 277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf | MD5 SHA1 SHA256 | LummaC2 Binary |
a09daf5791d8fd4b5843cd38ae37cf97 2c11592f527a35c3dac75139e870dd062b12dfe1 60247d4ddd08204818b60ade4bfc32d6c31756c574a5fe2cd521381385a0f868 | MD5 SHA1 SHA256 | LummaC2 Binary |
5aac51312dfd99bf4e88be482f734c79 9ac88b93fee8f888cabc3d0c9d81507c6dad7498 9b742a890aff9c7a2b54b620fe5e1fcfa553648695d79c892564de09b850c92b | MD5 SHA1 SHA256 | LummaC2 Binary |
c9c0e32e00d084653db0b37a239e9a34 b97965e4a793ec0fa10abc86d0c6be5718716d8a d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264 | MD5 SHA1 SHA256 | LummaC2 Binary |
195[.]123[.]226[.]91 | IP | LummaC2 C&C |
144[.]76[.]173[.]247 | IP | LummaC2 C&C |
Related Articles:
10 Fast Facts About Cybersecurity for Financial Services—And How ASPM Can Help
Published: 12/20/2024
Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies
Published: 12/17/2024
Threats in Transit: Cyberattacks Disrupting the Transportation Industry
Published: 12/17/2024
Achieving Cyber Resilience with Managed Detection and Response
Published: 12/13/2024