MaaS (Malware-as-a-Service) thrives as a top choice for new cyber threats, offering easy access to powerful tools. Threat actors primarily focus on information theft under Maas, specializing in stealing and leaking sensitive data from hacked devices.
This malicious behavior poses a serious risk to both individuals and businesses, with the potential to cause significant financial losses.
Recently, the cybersecurity researchers at Outpost24’s KrakenLabs found LummaC2 v4.0 evading sandboxes with a fresh Anti-Sandbox trick.
Besides this, the threat actor behind the “LummaC2 v4.0,” warns against spreading malware unchanged.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
LummaC2 v4.0
LummaC2, a C-written info-stealer, hit underground markets in Dec 2022 and is now at version 4.0 with the following updates:-
- Control Flow Flattening
- New Anti-Sandbox technique
- Strings are now XOR encrypted
- Supports dynamic configuration files retrieved from the C2
- Enforces threat actors to use a crypter for their builds
Using Trigonometry to Detect Mouse Movements
During the malware analysis, researchers discovered two distinct layers, and the layers were described as:-
- Layer 1: This layer employs assembly junk, varying in packed samples, but lacks meaningful execution. The Push+ret and jz+jnz are examples of obfuscation that prevents disassembly and makes the analysis more difficult.
- Layer 2: This layer mirrors the first, employing identical obfuscation to restrict disassembly. It extracts, decrypts, and runs LummaC2 v4.0 by loading a hardcoded resource (‘3’) using LoadResource and LockResource.
Control Flow Flattening disrupts program flow and complicates the analysis since it’s an obfuscation technique. Opaque predicates introduce complexity through conditional jumps, maintaining program acceptance.
Dead code includes inactive or unreachable parts. LummaC2 v4.0 uses calls to known routines with invalid parameters in some dead code blocks.
Dealing with this obfuscation involves spotting the main dispatcher, key blocks (like Block 1 and Block 2), and the predispatcher. The main dispatcher is where execution returns.
Predispatcher alters parameters to guide execution. Identifying blocks is tough with CFF. LummaC2 v4.0 stores control flow values in local variables or register-pointed memory locations.
LummaC2 v4.0 introduces a unique anti-sandbox tactic, delaying execution until it detects realistic mouse movements. It captures cursor positions, then checks for consecutive differences, and uses trigonometry to identify ‘human’ behavior.
The process repeats until genuine mouse activity is detected, preventing detonation in less realistic sandbox environments.
Newer LummaC2 v4.0 versions prevent unpacked sample leaks by detecting if the executable is crypted. If not crypted, it displays an alert, allowing users to halt execution without harm.
IOCs
Hashes
- b14ddf64ace0b5f0d7452be28d07355c1c6865710dbed84938e2af48ccaa46cf (packed)
- 4408ce79e355f153fa43c05c582d4e264aec435cf5575574cb85dfe888366f86 (unpacked)
- de6c4c3ddb3a3ddbcbea9124f93429bf987dcd8192e0f1b4a826505429b74560 (packed)
- 976c8df8c33ec7b8c6b5944a5caca5631f1ec9d1d528b8a748fee6aae68814e3 (unpacked)
C&Cs
- curtainjors[.]fun
- gogobad[.]fun
- superyupp[.]fun
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.