The AhnLab Security Intelligence Center (ASEC) has identified LummaC2 malware being distributed as a counterfeit version of the Total Commander software. Targeting users seeking cracked software, the malware’s distribution involves deceptive web pages and downloader scripts that ultimately execute malicious code. Affected: LummaC2, Total Commander
Keypoints :
- LummaC2 malware is disguised as the Total Commander file manager tool.
- Threat actors are using Google searches for “Total Commander Crack” to lure victims.
- Users must click through multiple manipulated pages to reach the malware download.
- The downloaded ZIP file contains a password-protected RAR file with the malware.
- The installation prompts execution of the “installer_1.05_38.2.exe” file, which infects the system.
- The malware execution involves complex obfuscation techniques using NSIS and AutoIt scripts.
- LummaC2 steals sensitive information such as login credentials and may lead to secondary attacks.
- Recommendations include downloading software only from official sources.
MITRE Techniques :
- Execution (T1203): The malware installs itself when the user executes the “installer_1.05_38.2.exe”.
- Obfuscated Files or Information (T1027): The LummaC2 deployment uses heavily obfuscated scripts to hide its operations.
- Credential Dumping (T1003): LummaC2 is designed to capture sensitive information such as login credentials.
- Command and Control (T1071): Stolen information is sent to the threat actor’s C&C server.
Indicator of Compromise :
- [MD5] 0a2d4bbb5237add913a2c6cf24c08688
- [MD5] 0da35eeccb9746a77d6b20dfdd01e1e1
- [MD5] 12087e91e60f195b2bc69b819978690e
- [MD5] 1f13356efe44af196602fc3438889d16
- [MD5] 25728e657a3386c5bed9ae133613d660
- [URL] http[:]//affordtempyo[.]biz/
- [URL] http[:]//hoursuhouy[.]biz/
- [URL] http[:]//impolitewearr[.]biz/
- [URL] http[:]//lightdeerysua[.]biz/
- [URL] http[:]//mixedrecipew[.]biz/
Full Story: https://asec.ahnlab.com/en/86435/