LummaC2 Stealer is a sophisticated information-stealing malware designed to target sensitive data, particularly from cryptocurrency wallets and 2FA extensions across various web browsers.
This stealer was discovered in late 2022, and it operates as a “MaaS,” which enables threat actors to purchase it for different price ranges.
Google and Mandiant security teams recently discovered that LummaC2 stealer has been actively leveraging the customized control flow indirection for execution.
LummaC2 Stealer Abusing Customized Control Flow
The “LummaC2” (‘LUMMAC.V2’) stealer makes use of the “customized control flow indirection” to manipulate its execution path and it was built upon traditional control flow flattening,.
This technique effectively prevents binary analysis tools like “IDA Pro” and “Ghidra,” significantly restricting ‘reverse engineering’ and ‘automated detection’ efforts.
To counter this, security analysts developed an “automated deobfuscation method” using symbolic backward slicing.
Their approach primarily focuses on distinguishing between original instructions and obfuscator-injected “dispatcher instructions” within protected functions.
Researchers leveraged the “Triton symbolic execution engine” to perform backward tracing that enables them to isolate the “dispatcher instructions,” and determine how they calculate “indirect control transfers.”
The obfuscator uses several types of dispatcher block types like:-
- Register-based
- Memory-based
- Mixed-order layouts
- Specialized conditional dispatchers (for standard logic, loops, and syscall handling)
By reconstructing the original control flow through a depth-first search (DFS) traversal algorithm and strategic handling of conditional jumps, it’s possible to rebuild and deobfuscate the samples into a format suitable for comprehensive static binary analysis.
This method provides essential insights for security teams, which allows more effective analysis and detection of the evolving “LummaC2” threat.
Besides this, deobfuscation reconstructs original functions by removing obfuscator-added elements while maintaining program semantics.
This process involves instruction rewriting, where deobfuscated instructions overwrite the protected function, starting from its entry point.
Two cases of indirect jumps are addressed, unconditional dispatcher blocks and conditional dispatcher blocks, with the latter requiring the determination of the original jump type (‘jz,’ ‘jnz,’ ‘jl’) based on setcc instructions. The rebuilding process excludes dispatcher instructions and duplicates.
Offset relocation follows, adjusting memory-referencing instructions (jumps, calls) to account for new instruction locations after removal of obfuscator code.
This technique was applied to “LummaC2 malware,” and here to identify original instructions and eliminate dispatcher code it uses the “backward slicing” and “symbolic execution.”
The process ensures that deobfuscated functions occupy less space than obfuscated ones, with the remaining space filled by compiler padding (“0xCC instructions”).
This method demonstrates the broader applicability of “backward slicing” in reverse engineering and malware analysis.
Indicators Of Compromise
MD5 | Associated Malware Family |
d01e27462252c573f66a14bb03c09dd2 | LUMMAC.V2 |
5099026603c86efbcf943449cd6df54a | LUMMAC.V2 |
205e45e123aea66d444feaba9a846748 | LUMMAC.V2 |
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free