LummaC2 Malware Using Steam Gaming Platform as C2 Server

   July 25, 2024  Posted in GBHackers


Cybersecurity experts have uncovered a sophisticated variant of the LummaC2 malware that leverages the popular Steam gaming platform as a Command-and-Control (C2) server.

This new tactic marks a significant evolution in the malware’s distribution and operational mechanisms, posing a heightened threat to users and organizations worldwide.

The Rise of LummaC2

LummaC2 is an information-stealing malware that has been actively distributed by masquerading as illegal programs such as cracks, keygens, and game hacks.

These malicious files are disseminated through various channels, including distribution sites, YouTube, LinkedIn, and even search engine advertisements, using a technique known as SEO poisoning.

Recently, the malware has also been disguised as legitimate applications like Notion, Slack, and Capcut, further broadening its reach.

According to the ASEC ahnlab reports, Initially, LummaC2 was distributed as a single executable (EXE) file or through DLL-SideLoading, where a malicious DLL is compressed together with a legitimate EXE file.

This method allowed the malware to execute its payload while remaining under the radar of many security systems.

Distribution in single EXE form (left), distribution in DLL form (right)

Exploiting Steam for C2 Domains

In its latest variant, LummaC2 has adopted a novel approach by exploiting the Steam gaming platform to obtain C2 domain information. Previously, all C2 information was embedded within the malware sample itself.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

However, attackers can dynamically change the C2 domain by leveraging a legitimate platform like Steam, enhancing the malware’s resilience and reducing the likelihood of detection.

This technique is not entirely new; it mirrors the strategy used by the Vidar malware, which has a history of exploiting various legitimate platforms such as TikTok, Mastodon, and Telegram to obtain C2 information.

LummaC2 exploit Steam page (left), Vidar exploit Steam page (right)
LummaC2 exploit Steam page (left), Vidar exploit Steam page (right)

Decryption and Execution

Upon execution, LummaC2 decrypts its internal encrypted strings to obtain C2 domain information. The encryption uses Base64 and a proprietary algorithm, with each sample containing approximately 8 to 10 C2 domains.

C2 domain decryption code
C2 domain decryption code

The malware initiates a Steam connection routine if all embedded C2 domains are inaccessible. Unlike the C2 domain, the Steam URL is stored in executable code, and the decryption algorithm differs.

The Steam URL points to a Steam account profile page believed to be created by the attacker. The malware obtains a string by parsing the “actual_persona_name” tag on this page, which is then decrypted using the Caesar cipher to reveal the C2 domain.

Steam account page source
Steam account page source

Dynamic C2 Domain Management

Using a legitimate domain like Steam, with its vast user base, helps reduce suspicion and allows the attacker to change the C2 domain if needed easily.

This flexibility increases the attack’s success rate and makes it more challenging for security systems to block the malware.

Once the C2 domain is decrypted, LummaC2 connects to the C2 server and downloads an encrypted settings JSON file. This file is then decrypted, and the malware performs various malicious actions based on the settings.

The stolen information is sent back to the C2 server and includes:

  • Wallet program information
  • Browser storage information
  • Password storage program information
  • TXT files in the user directory
  • Messenger program information
  • FTP program information
  • VPN program information
  • Remote program information
  • Memo program information
  • Mail program information
  • Browser extension plugin (virtual currency wallet) information
Part of LummaC2 settings JSON
Part of LummaC2 settings JSON

The exploitation of the Steam gaming platform by LummaC2 malware represents a significant escalation in cyber threats.

By leveraging a legitimate and widely used platform, attackers can dynamically manage C2 domains, making the malware more resilient and harder to detect.

This development underscores the need for heightened vigilance and advanced security measures to protect against evolving cyber threats.

Recommendations

To mitigate the risk posed by LummaC2 and similar malware, users and organizations should:

  1. Avoid Downloading Illegal Software: Refrain from downloading cracks, keygens, and game hacks from untrusted sources.
  2. Use Reputable Security Software: Employ advanced antivirus and anti-malware solutions that can detect and block such threats.
  3. Regularly Update Software: Ensure all software, including security programs, is up-to-date to protect against known vulnerabilities.
  4. Educate Users: Raise awareness about the dangers of downloading and executing unknown files, and promote safe online practices.
  5. Monitor Network Traffic: Implement network monitoring tools to detect unusual traffic patterns that may indicate a malware infection.

By adopting these measures, users and organizations can better defend against LummaC2’s sophisticated tactics and other evolving cyber threats.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo



Source link