Insights, news, education and announcements from PolySwarm

LummaC2

Written by The Hivemind | Dec 1, 2023 5:48:51 PM

Executive Summary

A new variant of LummaC2 was observed using a unique trigonometry-based anti-sandboxing technique.

Key Takeaways

  • A new variant of LummaC2 was observed using a unique trigonometry-based anti-sandboxing technique.
  • Other new features in LummaC2 4.0 include additional anti-analysis measures and the requirement for threat actors to use a crypter for their builds. 
  • LummaC2 is also being advertised as having the ability to allow threat actors to restore expired Google cookies, enabling them to hijack Google accounts. 

What is LummaC2?

Outpost24 recently reported on a new LummaC2 (also known as Lumma stealer) variant (4.0) that uses a unique trigonometry-based anti-sandboxing technique. LummaC2, written in C, is sold on the underground and has been in the wild since late 2022.

The most recent LummaC2 variant marks an evolution of Lumma, with several new features added. Control flow flattening obfuscation has been implemented in default builds. This technique aims to break the original flow of the program to complicate analysis. It also leverages opaque predicates and dead code to make analysis more difficult. Additionally, strings are XOR encrypted. LummaC2 now supports dynamic configuration files retrieved from the C2, and threat actors must use a crypter for their builds.

The most interesting feature of the new LummaC2 variant is a trigonometry-based anti-sandbox technique used to delay the detonation of the sample unless human mouse activity is detected. The technique allows the malware to detect different positions of the cursor in a short interval in an effort to determine whether human interaction is taking place. This prevents the malware from detonating in analysis systems that do not use realistic emulation of mouse movements.

LummaC2 accomplishes this by extracting the current cursor position five times following a predefined sleep interval of 50 milliseconds and checking whether each position is different from the preceding. If the cursor positions meet the requirements, the malware treats them as Euclidean vectors and calculates the angle formed between two consecutive vectors. If calculated angles are less than 45 degrees, LummaC2 recognizes the movements as human and continues to execute.

In addition to these changes, LummaC2 is also being promoted as having the ability to allow threat actors to restore expired Google cookies, enabling them to hijack Google accounts. 

IOCs

PolySwarm has multiple samples of LummaC2.

 

B14ddf64ace0b5f0d7452be28d07355c1c6865710dbed84938e2af48ccaa46cf

de6c4c3ddb3a3ddbcbea9124f93429bf987dcd8192e0f1b4a826505429b74560

 

You can use the following CLI command to search for all LummaC2 samples in our portal:

$ polyswarm link list -f LummaC2

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.