Full Report
AhnLab SEcurity intelligence Center (ASEC) has discovered the LummaC2 malware being distributed disguised as the Total Commander tool. Total Commander is a file manager for Windows that supports various file formats. It offers convenient file management features such as copy and move features, advanced search using strings within files, folder synchronization, and FTP/SFTP features. The […]
Analysis Summary
# Tool/Technique: LummaC2
## Overview
LummaC2 is an actively distributed information-stealing malware, frequently disguised as illegal software like cracked programs (in this instance, masquerading as the Total Commander file manager crack). Its primary purpose is to harvest sensitive credentials from infected systems and exfiltrate them to a Command and Control (C2) server.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Information stealing (browser credentials, email credentials, cryptocurrency wallet credentials, auto-login program credentials), heavy obfuscation, multi-stage deployment.
- First Seen: Early 2023
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on the description of an information stealer delivered via social engineering.*
- **TA0001 - Initial Access**
- T1192 - Drive-by Compromise (via malicious link distribution)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Steals account credentials stored in web browsers.
- Steals email application credentials.
- Steals cryptocurrency wallet credentials.
- Steals credentials for auto-login programs.
- Communicates stolen data back to the threat actor's C2 server.
### Advanced Features
- **Multi-stage Delivery and Obfuscation:** The initial payload is wrapped in a double-compressed structure (ZIP containing a password-protected RAR).
- **NSIS/AutoIt Layering:** The malware uses NSIS scripts initially, which then execute an obfuscated batch script (`Nv.cmd`).
- **Batch Script Deobfuscation:** The batch script employs variable substitution within command strings and adds meaningless filler strings to hinder static analysis.
- **AutoIt Execution Chain:** The batch script ultimately deploys an AutoIt executable (runner) and an encrypted AutoIt script (`.a3x`).
- **In-Memory Loading:** The final LummaC2 binary is encrypted within the `.a3x` file, decrypted at runtime, and loaded directly into memory, avoiding disk drops for the final payload whenever possible.
- **Anti-Analysis Checks:** The batch script performs process checks against security software (e.g., `opssvc`, `wrsa`, `AvastUI`, `AVGUI`, `bdservicehost`, `nsWscSvc`, `ekrn`, `SophosHealth`).
## Indicators of Compromise
- File Hashes:
- `0a2d4bbb5237add913a2c6cf24c08688`
- `0da35eeccb9746a77d6b20dfdd01e1e1`
- `12087e91e60f195b2bc69b819978690e`
- `1f13356efe44af196602fc3438889d16`
- `25728e657a3386c5bed9ae133613d660`
- File Names: `installer_1.05_38.2.exe` (Initial execution), components related to AutoIt execution (`AutoIt3.exe`, `.a3x` file).
- Registry Keys: [Not specified in the context]
- Network Indicators:
- `http://affordtempyo[.]biz/`
- `http://hoursuhouy[.]biz/`
- `http://impolitewearr[.]biz/`
- `http://lightdeerysua[.]biz/`
- `http://mixedrecipew[.]biz/`
- Behavioral Indicators: Execution chain initiated by NSIS, heavy use of `cmd.exe` for complex string manipulation and file operations, execution of obfuscated AutoIt scripts loading encrypted binaries in memory.
## Associated Threat Actors
- Threat actors distributing information stealers, often operating for financial gain, exploiting users searching for cracked software. (Specific named APT groups not mentioned).
## Detection Methods
- Signature-based detection: Focus on known hashes and C2 domains.
- Behavioral detection: Monitoring anomalies in NSIS execution that spawns cmd processes performing obfuscated string operations, checks for execution of AutoIt components, and detection of memory artifacts related to C2 beaconing/data staging.
- YARA rules: Create rules targeting the unique obfuscation patterns found in the NSIS and Batch components, or signatures related to the structure of the wrapped AutoIt payloads.
## Mitigation Strategies
- **Prevention:** Educate users against searching for and downloading software cracks, serials, or keygens, as this is the primary infection vector used here (targeted social engineering).
- **Hardening:** Ensure endpoint security solutions are up-to-date and configured to alert on suspicious process chaining (e.g., NSIS -> cmd -> batch script with heavy obfuscation). Disable AutoRun features if possible.
## Related Tools/Techniques
- Other heavily obfuscated malware campaigns utilizing NSIS/AutoIt wrapping techniques for malware deployment.
- Information stealers that mimic legitimate software for social engineering purposes.