Summary:
LummaC2 is a sophisticated Infostealer malware that disguises itself as legitimate software to evade detection. It captures sensitive information from users and sends it to the attacker’s command and control server, posing a significant threat to both individual and corporate systems.
Keypoints:
- LummaC2 is distributed disguised as illegal software and inserted into legitimate programs.
- The malware steals sensitive information including account credentials, email data, and cryptocurrency wallet information.
- Stolen data may be sold on the dark web or used for further attacks.
- Current distribution methods involve modifying legitimate files to include malware, making detection difficult.
- Threat actors are increasingly using complex methods to disguise malware, complicating detection efforts.
- Automated processes are in place for malware collection and analysis at AhnLab.
- Users should exercise caution with files from untrusted sources, especially those with invalid signatures.
MITRE Techniques
- Credential Dumping (T1003): Extracts account credentials from browsers and applications.
- Data Encrypted for Impact (T1486): Encrypts data to prevent access and extort victims.
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
IoC:
- [URL] https[:]//authorisev[.]site/api
- [URL] https[:]//bakedstusteeb[.]shop/api
- [URL] https[:]//bringlanejk[.]site/api
- [URL] https[:]//conceszustyb[.]shop/api
- [URL] https[:]//contemteny[.]site/api
- [File Hash] 2871fb22369890c609fdb067db060c42
- [File Hash] 3079439be9235f321baab3ae204a7b8b
- [File Hash] 4f8ac16139c29a03686004904cf9ce76
- [File Hash] 5845951ae9a216178404ec2e66d1872c
- [File Hash] 59d5751d980fae8a556e53a4282c69ed
Full Research: https://asec.ahnlab.com/en/84556/