Introduction
LummaStealer, also referred to as LummaC2, is an information-stealing malware developed using the C language and is distributed via a Malware-as-a-Service(MaaS) model. Since August 2022, it has been observed on Russian-speaking forums, targeting sensitive information such as cryptocurrency wallets, 2FAbrowser extensions, and system credentials. It is capable of exfiltrating data to a Command and Control (C2) server using HTTP POST requests and supports payload delivery via EXE, DLL, and PowerShell.
Summary of the report
This report aims to dissect Lumma Stealer, uncovering its functionalities to aid in threat mitigation and prevention strategies. We would explore its behavior, propagation methods, encryption techniques, and post-infection activities to gain valuable insights for cybersecurity professionals and researchers.
Malware Sample:
The malware sample was obtained from the Malware Bazaar database. The threat file is named f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353.exe.Further analysis, as shown in the diagram below, reveals that the file is a32-bit executable written in the Go programming language. Additionally, it was determined that the binaries within the executable are not packed, as highlighted in yellow below.
This image shows the threat file properties such as the bit, language and unpack information.
Note
Packed executables or binaries can be more challenging to analyze because they obfuscate the strings, making them unreadable. This technique is often used to evade detection during malware analysis.
Static Malware Analysis
Inspecting the binary code or source code of the malware to identify characteristics, patterns, and behaviors without executing it.
File Hash
Extracting the SHA256 and MD5 checksums for the executable files and then cross-referencing these hashes with Virus Total for fingerprinting. This was done on the FlareVm command line interface or cmder run command or via Pestudio.
File Hashes
Sha256: f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353
Md5: 5fb5e099087ca0db68f8d58ae7555949
Virustotal Reputation of the gotten hash value
A high score of 53 threat intelligence platforms has flagged the hashes as malicious, this further shows that the executable is malicious
String Analysis
String analysis helps reveal key components like API functions, HTTP requests, and DLLusage. This provides insight into the malware’s behavior, such as systeminteraction, network activity, and its dependencies for execution. This was achievedby using remnux distro to reveal the strings or on flareVM by running thecommand floss via cmder run command.
Behavior of the malicious file
Summary of Behavior:
Anti-analysis/Anti-debugging: Highlighted in Yellow
· Debuggercheck QueryInfo: Malware checking for the presence of a debugger.
· DebuggerExceptionConsoleCtrl / DebuggerException SetConsoleCtrl: Manipulating exceptions to evade debugging.
· ThreadControl Context: Manipulating thread contexts to avoid detection.
· SEHvectored: Using structured exception handling (SEH) to control how exceptions are handled during debugging.
XOR: Highlightedin Green
· Xorencryption is used to obfuscate data, hide sensitive information like payloads or configuration data.
Process injection and service creation: Highlighted in Yellow
· Inject thread: Injecting code into the address space of another process to maintain control.
· create service: Creating malicious services for persistence and potentially escalating privileges.
Networking capabilities: Highlighted in Green
· Network udp sock: Communication over UDP, potentially for command-and-control (C2) or data exfiltration.
· Network tcp listen: Listening for incoming TCP connections, possibly for remote access.
· Network tcp socket: Establishing outgoing TCP connections, again for C2 or remote control.
· Network dns: DNS communication, which can be used for C2, data exfiltration, or DNStunneling.
Privilege escalation: Highlightedin Red
· Disable dep: Disabling Data Execution Prevention (DEP) as part of privilege escalation techniques.
· Escalate priv: General privilege escalation, using various methods to gain higher systemaccess.
· Win token: Manipulating Windows security tokens to escalate privileges.
Persistence: Highlighted in Yellow
· Win mutex: Checking for or creating mutexes to prevent multiple instances of malware fromrunning and ensure persistence.
· Win registry: Modifying the registry to maintain persistence and start on system boot.
· winfiles operation: Performing file operations to maintain its persistence orfunctionality on the system.
This mapping shows how eachbehavior or function relates to the specific tactics and techniques the malwareuses. This behavior pattern indicates that the malware is likely designed toremain hidden, maintain long-term access to the system, and communicate withremote servers for command-and-control operations.
Possible breakpoint of the malware
Anti-Debugging & Execution Control: From the crossed yellow line
· CreateThread, GetThreadContext, WaitForSingleObject, and ExitProcess reveal how theexecutable can manage threads, alter execution, and synchronize tasks.
Memory and Code Injection: From the crossed green line
· VirtualAlloc, VirtualFree, LoadLibraryExW, LoadLibraryW, and GetProcAddress are critical for detecting memory allocation, process injection, and dynamically loaded libraries, often used to hide malicious code.
Fileand System Access: from the red crossed line
· WriteFile, GetSystemDirectoryA, and CloseHandle show how the malware interacts with files,accesses system directories, and handles cleanup or persistence.
Screenshot of IP addresses of the C2 server and its reference Url schemas detected from the string analysis
IP Address
5.4.32.5
2.5.4.62
4.52.5.4
72.5.4.82
3.3.3.3
URL
· The first URL (http://Expiresversiongo)appears malformed, which could indicate an attempt to evade detection. If the malware dynamically generates or modifies the URL, it may be trying to obfuscate its actual C2 infrastructure to avoid detection by security tools.
· The second URL (http://www.w3.org/2001/XMLSchema-instance) is a standard reference for XML schemas an indicative of how the malware communicates or manages configuration from its C2 server.
Dynamic Malware Analysis
Network and Host Based Analysis: Executing the malware within a controlled environment, to observe its behavior in real-time. Examining the activities, behaviors, and configurations of individual endpoints.
Open execution of the malware, it created a malicious executable file named BitLockerToGo.exeon the windows registry file path as detected from the C: drive below.
The Bitlocker file created in the C:drive
The BitLockerToGo.exe executable is masquerading as a legitimate program of windows to evade detection. Further investigation into the process memory of the BitlockerToGo.exe shows that it possesses the functionality to communicate with malicious C2 servers or domain as seen in the diagram below.
Some indicators of compromise (malicious domain) found in the BitlockerToGo executable
Furthermore, the reputation of the domain https://keennylrwmqlw.shop/api shows that it has been flagged as lumma stealer malware
Reputation of one of the domains found from the file
The executable can make registry modifications on an affected system as observed from different states of the system during the analysis process as seen from the screenshots below.
Registry keys modifications
Some of the Registry keys modified
As observed, there were 21 modified registries which spawn from the local machine HKLM and to UsersHKU activities.
Summary of the registry modification activities
1. In HKLM (HKEY_LOCAL_MACHINE), modifications to the registry include entries that track throttle start times for security identifiers under IdentityCRL, log audio-related activities in the Audio Journal, update notification settings and preferences, and reference user profiles to monitor logins and access activities.
2. In HKU (HKEY_USERS), registry modifications include tracking user interactions in Activity Data Model, managing content delivery and subscriptions in Content Delivery Manager, monitoring user activity in UserAssist, and handling application management or user authentication via the AAD Broker Plugin, potentially related to cloud services.
Conclusion
The analysis of Malware encompasses both static and dynamic approaches to comprehend its behavioral patterns. The malware exhibits anti-debugging techniques, memory manipulation, encryption, process injection, network communication, and privilege escalation, all aimed at evading detection, maintaining persistence, and exfiltrating data or executing commands from a remote server.
This underscores the vital role of robust cybersecurity measures in developing effective prevention strategies tomitigate the risks posed by such threats.
Recommendations
· Educate employees on recognizing phishing attempts, especially the dangers of running unknown commands, which could lead to PowerShell execution and malware installation.
· Ensure robust endpoint protection is in place to detect and block PowerShell-based attacks. Enable application whitelisting to prevent unauthorized executables from running.
· Monitor for unusual changes to critical registry paths, particularly those related to UAC settings and proxy configurations.
· Regularly monitor outbound network connections for communication with known malicious IPs or domains associated with Lumma C2 servers. Anomalies like HTTP POST requests with the IP addresses and URLs should be flagged.
· Firewall Rules: Block outbound traffic to malicious IPs and domains identified in the IOCs section. Consider using a web application firewall (WAF) to filter potentially harmful HTTP requests.
· Ensure that all systems, especially those running Windows 7 to 11, are regularly patched to mitigate vulnerabilities exploited by Lumma Stealer.
· Establish an incident response plan focused on isolating compromised devices, neutralizing threats, and collecting forensic evidence for further analysis. Ensure regular backups to recover from potential data theft or ransomware threats.
Indicators of Compromise (IOCs)
File hashes:
Sha256:
1. f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353
2. beb2dbeb0987697f1c440958bb1c54754958b47eb4def4db40a4a71d3a9a5b3f
3. d323f2034ee22ad7b02394182f3d52456b3fb3a37bc0d1cea888c5a482c88a26
4. 1cd1a6c8b63ce8cf1ac0de34237bcbdac46f8c613536c7f1e7ad0091420def25
5. f930a52a2107da490787657629a889c86714dd2fa9dbd7a18ac31866811ec6e9
6. 1e391c6e0d52e8ae9babcee62cf692635f35e6a88de1fd264a04f501b31b67a1
7. b833c19e1c47e6110ac74e5144a328dbb2bd2fca519b3bf211b32730f0f9b9f4
8. 3f58ce78300acd111096a6460f57d607790497a21d59712a4da368c714c344e6
9. 49a7efd8296089d8f30b3eb592b13dc8d9f85e7f9091b0e2653f1ceed77482dc
C2IP Addresses:
1. 144.76.173.247
2. 45.9.74.78
3. 77.73.134.68
4. 82.117.255.127
5. 82.118.23.50
6. 5.4.32.5
7. 2.5.4.62
8. 4.52.5.4
9. 72.5.4.82
10. 3.3.3.3
Malicious Domains/URLs:
1. hxxps://heroic-genie-2b372e.netlify.app/please-verify-z.html
2. hxxps://sdkjhfdskjnck.s3[.]amazonaws.com/human-verify-system.html
3. hxxps://newvideozones.click/veri.html
4. https://keennylrwmqlw.shop/api
.png)
.png)