Full Report
Breakdown of a key features stored in LummaC2 Stealer
Analysis Summary
# Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is an information stealer malware distributed via phishing campaigns, in this case, impersonating Walmart Marketplace communications, instructing recipients to download a malicious archive ("Walmart Brand Portal.rar") which contains the executable payload.
## Technical Details
- Type: Malware family
- Platform: Windows (Inferred from PE analysis, Process Hacker/PE-Sieve usage, and file hashes)
- Capabilities: Information stealing, process injection, extensive obfuscation techniques (Control Flow Flattening and String Obfuscation).
- First Seen: Not explicitly mentioned, but the analysis covers contemporary techniques.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the observed behaviors (phishing, execution, memory manipulation, C2 communication).*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (Implied by initial execution)
- **TA0003 - Persistence** (Not explicitly detailed, but typical for stealers)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.002 - Software Packing (Implied by the need for specialized tools like PE-Sieve)
- T1055 - Process Injection (Inferred by monitoring injection into `AddInProcess32.exe`)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied by C2 URL structure)
## Functionality
### Core Capabilities
- **Delivery:** Deployed via a phishing lure disguised as a Walmart seller notification containing a RAR archive.
- **Execution:** Executes the initial binary, which eventually injects the final payload into an internal process (e.g., `AddInProcess32.exe`).
- **String Deobfuscation:** Employs a dedicated function to deobfuscate internal strings, where the obfuscation method involves inserting the constant string `576xed` into the legitimate string data.
- **API Hashing:** Utilizes hashing algorithms (likely MurmurHash2, based on reference) for resolving API function names at runtime rather than storing them directly.
- **Data Exfiltration:** Steals information, including browser data, cryptocurrency wallets, and extensions data (Chrome extensions listed).
### Advanced Features
- **Control Flow Flattening (CFF):** Implemented in the stealer code to complicate reverse engineering efforts by disrupting the linear execution flow. Tools like SophosLabs' `emotet_unflatten_poc` were used to aid visualization.
- **Targeted Credential Theft:** Explicitly targets sensitive data from numerous browsers and wallet applications (e.g., NeoLine, Clover, Terra Station, Math, Wombat, MEW CX, Ronin Wallet, Binance Chain Wallet, Yoroi, Authy).
## Indicators of Compromise
- File Hashes:
- Walmart Brand Portal.rar: `d69520637a73226a61c09298295145923fc60a06584528cb1f05a530479a7a36`
- Walmart Brand Portal.exe: `9b9388c1b9e9417df5ca4e883ef595455932dfce24ca1dad9897d506aecdac2a`
- Lumma Binary (Dumped Payload): `19fefb958bd9c9280d07754ab903022a3dc9fc380a6964733a1dcc016aba8150`
- File Names:
- `Walmart Brand Portal.rar`
- `Walmart Brand Portal.exe`
- Possible dropped configuration file name: `dp.txt` (from Yara rule)
- Possible configuration file name: `Software.txt` (from Yara rule)
- Registry Keys: Not explicitly listed.
- Network Indicators:
- C2 URL: `82[.]117[.]255[.]80/c2sock`
- Phishing URL: `marketplace[.]walmart[.]lc/download.php`
- Behavioral Indicators:
- Process injection targeting processes like `AddInProcess32.exe`.
- Use of WinHTTP functions for C2 communication (e.g., `WinHttpWriteData`, `WinHttpReceiveResponse`).
- User Agent string: `TeslaBrowser/5.5`
## Associated Threat Actors
The article does not name a specific threat actor group associated with this particular campaign, though Lumma Stealer is commonly used by various financially motivated threat actors.
## Detection Methods
- Signature-based detection:
- Yara Rule provided: Detects strings associated with Lumma's C2/internal constants (`576xed`, `dp.txt`, `c2sock`, `Software.txt`, `TeslaBrowser`).
- Behavioral detection:
- Monitoring for execution of files originating from unexpected archives delivered via email.
- Monitoring for process injection activities, specifically into processes like `AddInProcess32.exe`.
- Detecting outbound connections to the identified C2 IP address.
- YARA rules:
yara
rule Win_LummaC2 {
meta:
author = "0xToxin"
description = "LummaC2 Strings"
strings:
$obfuscatorString = "576xed" ascii wide
$s1 = "dp.txt" ascii wide
$s2 = "c2sock" ascii wide
$s3 = "TeslaBrowser" ascii wide
$s4 = "Software.txt" ascii wide
condition:
uint16(0) == 0x5a4d and all of ($s*) and #obfuscatorString > 10 and filesize < 1500KB
}
## Mitigation Strategies
- **Prevention:** Employee training on recognizing phishing attempts, especially those urging the disabling of security software or downloading unexpected attachments.
- **Hardening:** Implement robust email filtering to block suspicious domains and attachments like RAR files containing executables.
- **Execution Control:** Utilize application control solutions to restrict the execution of suspicious binaries or scripts in high-risk areas.
- **Analysis Assistance:** Employ tools like PE-Sieve during forensic collection to reliably dump injected payloads from memory before anti-analysis techniques fully obfuscate them.
## Related Tools/Techniques
- **PE-Sieve:** External tool used effectively in this analysis to dump injected PE files from running processes.
- **Emotet Control Flow Flattening Techniques:** Used external PoCs (SophosLabs `emotet_unflatten_poc`) to help reverse engineer the CFF obfuscation used in Lumma.
- **MurmurHash2:** Referenced as a related hashing algorithm, suggesting this might be the hashing scheme used for API resolution.