LummaC2 Stealer: A Potent Threat To Crypto Users

Originally published by Cyble.

New Stealer Targeting Crypto Wallets and 2FA Extensions of Various Browsers

During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine.

The figure below shows the dark web post by the Threat Actors.

Figure 1 – Dark Web Post for LummaC2 Stealer

The post also mentioned the link to LummaC2 Stealer’s seller website, which is written in Russian. The website also offers various purchasing options for potential Threat Actors(TAs), with prices ranging from $250 to $20000 depending on the plan.

The image below shows the website where the stealer is available for sale.

Figure 2 – LummaC2 Stealer Sellers Website

In addition, Threat Actors (TAs) behind the LummaC2 Stealer have created two Telegram channels in Russian: one for sharing information about the stealer and one for reporting bugs in the malware.

Figure 3 – Telegram Post by the Threat Actors

The researchers at CRIL found two active Command and Control servers connected to the LummaC2 Stealer.

The figure below illustrates the IP addresses of these servers, one located in Bulgaria and the other in Germany.

Figure 4 – LummaC2 Stealer C&C IPs

The figure below shows the login page of the LummaC2 Stealer’s Command and Control (C&C) server.

Figure 5 – LummaC2 C&C panel Login Page

Technical Details

The LummaC2 Stealer is a 32-bit GUI type executable with sha256 d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264.

The figure below shows the additional file details of the LummaC2 stealer executable.

Figure 6 – File Details of LummaC2 Stealer

Detection Evasion:

The stealer has many Obfuscated strings that are being covered by a random string, “edx765”, to evade detection. Upon execution, the stealer passes the obfuscated string to a function that strips the random string and delivers the original string.

The figure below shows the routine for string manipulation.

Figure 7 – Assembly Code to Replace the edx765 String

Collects System Information:

After getting the required strings, the malware resolves the APIs. It starts extracting multiple pieces of information from the system, including LummaC2 Build, Lumma ID, Hardware ID, Screen Resolution, System Language, CPU Name, and Physical Memory. The malware stores this information in the memory under the name system.txt.

The below figure shows the code snippet of malware for collecting system information.

Figure 8 – System Information Extracted by the Stealer

File Grabber:

The stealer now enumerates the %userProfile% directory and grabs .txt files from the Victims machine. These grabbed files are stored in the memory under the name “Important Files/Profile” for exfiltration.

Wallets:

The stealer also targets crypto wallets such as Binance, Electrum, and Ethereum and collects sensitive information from the victim’s machine. The below figure shows the code snippet of stealers targeting crypto wallets.

Figure 9 – The Stealer Targeting Wallets

After collecting the victim’s wallet and system details, the stealer sends this information to its C&C server, as shown below.

Figure 10 – Initial C&C Communication of the Stealer

Browsers:

After sending the stolen information, the stealer checks for the following browsers installed on the system: Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, and Mozilla Firefox and steals sensitive information from the browsers.

The figure below shows the code to check the browsers.

Figure 11 – Stealer Checking for the Browsers in System

Crypto Wallets and 2FA Extensions:

The stealer now searches for more information associated with the browser, such as crypto wallet and two-factor authentication (2FA) extensions that may have been installed.

The figure below shows the wallets and 2FA extensions that the stealer targets.

Figure 12 – Stealer Targeting Crypto Wallet And 2FA Extensions

In addition, the stealer can also steal browser history, login information, network cookies, and more from the system, as shown below.

Figure 13 – Stealer Targeting Sensitive Browser Information

Command & Control Communication

Finally, the stealer encrypts the data obtained from the infected system and sends it to the C&C server, as shown below.

The figure below depicts the C&C communication of the stealer.

Figure 14 – C&C Communication of the LummaC2 Stealer

Conclusion

LummaC2 behaves in a manner comparable to other stealer-type malware, which can take away both system and sensitive data from the victim’s machine. These dangerous programs usually have the capacity to take information from web browsers and target Crypto wallets and 2FA extensions.

The additional information stored on web browsers, such as login credentials, PII, and financial information, can be further leveraged to conduct fraud activities as well.

Threat actors can use the stolen data to steal cryptocurrencies from the victim’s accounts, or alternatively, they can sell this data to other threat actors for financial gain.

CRIL continuously monitors emerging threats and will continue to keep readers informed.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Malware Attacks

• Refrain from opening untrusted links and email attachments without verifying their authenticity.
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• Conduct regular backup practices and keep those backups offline or in a separate network.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.

Users Should Take the Following Steps After the Malware Attack

• Detach infected devices on the same network.
• Disconnect external storage devices if connected.
• Inspect system logs for suspicious events.

Impact And Cruciality of Malware

• Loss of valuable data.
• Loss of the organization’s reputation and integrity.
• Loss of the organization’s sensitive business information.
• Disruption in organization operation.
• Monetary loss.

MITRE ATT&CK® Techniques

Indicators of Compromise (IoCs)