Cloud 101CircleEventsBlog
Get 50% off the Cloud Infrastructure Security training bundle with code 'unlock50advantage'

LummaC2 Stealer: A Potent Threat To Crypto Users

Published 03/21/2023

LummaC2 Stealer: A Potent Threat To Crypto Users

Originally published by Cyble.

New Stealer Targeting Crypto Wallets and 2FA Extensions of Various Browsers

During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine.

The figure below shows the dark web post by the Threat Actors.

Figure 1 – Dark Web Post for LummaC2 Stealer

The post also mentioned the link to LummaC2 Stealer’s seller website, which is written in Russian. The website also offers various purchasing options for potential Threat Actors(TAs), with prices ranging from $250 to $20000 depending on the plan.

The image below shows the website where the stealer is available for sale.

Figure 2 – LummaC2 Stealer Sellers Website

In addition, Threat Actors (TAs) behind the LummaC2 Stealer have created two Telegram channels in Russian: one for sharing information about the stealer and one for reporting bugs in the malware.

Figure 3 – Telegram Post by the Threat Actors

The researchers at CRIL found two active Command and Control servers connected to the LummaC2 Stealer.

The figure below illustrates the IP addresses of these servers, one located in Bulgaria and the other in Germany.

Figure 4 – LummaC2 Stealer C&C IPs

The figure below shows the login page of the LummaC2 Stealer’s Command and Control (C&C) server.

Figure 5 – LummaC2 C&C panel Login Page

Technical Details

The LummaC2 Stealer is a 32-bit GUI type executable with sha256 d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264.

The figure below shows the additional file details of the LummaC2 stealer executable.

Figure 6 – File Details of LummaC2 Stealer

Detection Evasion:

The stealer has many Obfuscated strings that are being covered by a random string, “edx765”, to evade detection. Upon execution, the stealer passes the obfuscated string to a function that strips the random string and delivers the original string.

The figure below shows the routine for string manipulation.

Figure 7 – Assembly Code to Replace the edx765 String

Collects System Information:

After getting the required strings, the malware resolves the APIs. It starts extracting multiple pieces of information from the system, including LummaC2 Build, Lumma ID, Hardware ID, Screen Resolution, System Language, CPU Name, and Physical Memory. The malware stores this information in the memory under the name system.txt.

The below figure shows the code snippet of malware for collecting system information.

Figure 8 – System Information Extracted by the Stealer

File Grabber:

The stealer now enumerates the %userProfile% directory and grabs .txt files from the Victims machine. These grabbed files are stored in the memory under the name “Important Files/Profile” for exfiltration.

Wallets:

The stealer also targets crypto wallets such as Binance, Electrum, and Ethereum and collects sensitive information from the victim’s machine. The below figure shows the code snippet of stealers targeting crypto wallets.

Figure 9 – The Stealer Targeting Wallets

After collecting the victim’s wallet and system details, the stealer sends this information to its C&C server, as shown below.

Figure 10 – Initial C&C Communication of the Stealer

Browsers:

After sending the stolen information, the stealer checks for the following browsers installed on the system: Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, and Mozilla Firefox and steals sensitive information from the browsers.

The figure below shows the code to check the browsers.

Figure 11 – Stealer Checking for the Browsers in System

Crypto Wallets and 2FA Extensions:

The stealer now searches for more information associated with the browser, such as crypto wallet and two-factor authentication (2FA) extensions that may have been installed.

The figure below shows the wallets and 2FA extensions that the stealer targets.

Figure 12 – Stealer Targeting Crypto Wallet And 2FA Extensions

In addition, the stealer can also steal browser history, login information, network cookies, and more from the system, as shown below.

Figure 13 – Stealer Targeting Sensitive Browser Information

Command & Control Communication

Finally, the stealer encrypts the data obtained from the infected system and sends it to the C&C server, as shown below.

The figure below depicts the C&C communication of the stealer.

Figure 14 – C&C Communication of the LummaC2 Stealer

Conclusion

LummaC2 behaves in a manner comparable to other stealer-type malware, which can take away both system and sensitive data from the victim’s machine. These dangerous programs usually have the capacity to take information from web browsers and target Crypto wallets and 2FA extensions.

The additional information stored on web browsers, such as login credentials, PII, and financial information, can be further leveraged to conduct fraud activities as well.

Threat actors can use the stolen data to steal cryptocurrencies from the victim’s accounts, or alternatively, they can sell this data to other threat actors for financial gain.

CRIL continuously monitors emerging threats and will continue to keep readers informed.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Malware Attacks

  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.

Users Should Take the Following Steps After the Malware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impact And Cruciality of Malware

  • Loss of valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Monetary loss.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Defense Evasion T1140
T1562
Deobfuscate/Decode Files or Information
Impair Defences
Discovery T1082
T1083
System Information Discovery
File and Directory Discovery
CollectionT1119
T1005
Automated Collection
Data from the Local System
Command and Control T1071 Application Layer Protocol
Exfiltration T1020 Automated Exfiltration

Indicators of Compromise (IoCs)

IndicatorsIndicator TypeDescription
1995a54dba0e05d80903d3d210c1e3da
c43316ddcb51e143ab53f996587c23ea4985f6ea
277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf
MD5
SHA1
SHA256
LummaC2 Binary
a09daf5791d8fd4b5843cd38ae37cf97
2c11592f527a35c3dac75139e870dd062b12dfe1
60247d4ddd08204818b60ade4bfc32d6c31756c574a5fe2cd521381385a0f868
MD5
SHA1
SHA256
LummaC2 Binary
5aac51312dfd99bf4e88be482f734c79
9ac88b93fee8f888cabc3d0c9d81507c6dad7498
9b742a890aff9c7a2b54b620fe5e1fcfa553648695d79c892564de09b850c92b
MD5
SHA1
SHA256
LummaC2 Binary
c9c0e32e00d084653db0b37a239e9a34
b97965e4a793ec0fa10abc86d0c6be5718716d8a
d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264
MD5
SHA1
SHA256
LummaC2 Binary
195[.]123[.]226[.]91IPLummaC2 C&C
144[.]76[.]173[.]247IPLummaC2 C&C

Share this content on your favorite social network today!