Insights, news, education and announcements from PolySwarm

New Lumma C2 Variant Leverages PowerShell

Written by The Hivemind | Sep 16, 2024 6:58:00 PM

Executive Summary

A new Lumma C2 variant that leverages PowerShell was recently observed. The new variant’s attack chain masquerades as CAPTCHA and actively exploits PowerShell commands.

Key Takeaways

  • A new Lumma C2 variant that leverages PowerShell was recently observed. 
  • The new variant’s attack chain begins with users being directed to a fake CAPTCHA page.
  • The page masquerades as a legitimate website and instructs visitors to copy and paste a PowerShell script in their system’s Run window.  
  • Obfuscated PowerShell commands are used to download and execute payloads. 

New Variant, New TTPs

A new Lumma C2 variant that leverages PowerShell was recently observed. The new variant’s attack chain masquerades as CAPTCHA and actively exploits PowerShell commands. Ontinue and Denwp Research reported on this new variant. 

Lumma C2, also known as Lumma Stealer or Lumma, is a stealer malware written in C. It is sold on the underground and has been in the wild since late 2022. Lumma has evolved in capability and sophistication over the last two years. 

In late 2023, an updated variant of Lumma was discovered. The variant (4.0) marked an evolution of Lumma, with several new features added. The most interesting feature of variant 4.0 was a trigonometry-based anti-sandbox technique used to delay detonation of the sample unless human mouse activity is detected. The technique allowed the malware to detect different positions of the cursor in a short interval in an effort to determine whether human interaction is taking place. This prevented the malware from detonating in analysis systems that do not use realistic emulation of mouse movements. 

A new variant of Lumma was observed in late August 2024. According to Denwp Research, the new variant’s attack chain begins with users being directed to a fake CAPTCHA page, supposedly for human verification. The page masquerades as a legitimate website and instructs visitors to copy and paste a PowerShell script into their system’s Run window.  

According to Ontinue, the attack chain uses the obfuscated PowerShell commands to download and execute payloads. The new technique uses LOLbins (living off the land binaries), including Mshta.exe and Dllhost.exe to evade detection. To establish persistence, Lumma writes to a common registry location so it will start automatically with the system. Lumma uses POST requests to communicate with the command and control (C2) in order to exfiltrate stolen data and receive instructions. 

IOCs

PolySwarm has multiple samples of the new Lumma C2 variant.

 

2caf283566656a13bf71f8ceac3c81f58a049c92a788368323b1ba25d872372e

2468e5bb596fa4543dba2adfe8fd795073486193b77108319e073b9924709a8a

 

You can use the following CLI command to search for all Lumma C2 samples in our portal:

$ polyswarm link list -f LummaStealer

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.