A closer look

As it has grown in popularity over the past year, LummaC2 has posed a major threat against organizations large and small, as the stealer exposes credentials for user identities, allowing adversaries to gain initial access to organizations using valid accounts.

LummaC2 detections in 2024

Initial access indicators of compromise (IOC) vary according to the delivery method and loader chosen by the adversary, so early detection telemetry differs from case to case. LummaC2 delivery vehicles have been presented to users in an array of creative ways, including:

• phishing emails
• drive-by downloads posing as browser updates
• fake CAPTCHAs
• masquerading as fake AI software

Popular LummaC2 loaders

• ArechClient2/SectopRAT
• Emmenhtal
• SmartLoader
• HijackLoader/IDAT Loader

Adversaries have also used LummaC2 to deliver PrivateLoader, Amadey, and NetSupport Manager.

Paste and run in action

We described LummaC2’s paste-and-run tactic in our November 2024 Intelligence Insights.

In December 2024 we saw a LummaC2 threat that began with the victim interacting with a fake CAPTCHA-style paste-and-run lure hosted at solve.gevaq[.]com. Successful paste-and-run execution resulted in mshta.exe reaching out to deduhko2.klipzyroloo[.]shop to retrieve an encoded PowerShell script. That script in turn pulled down and executed additional remote resources from deduhko[.]klipzyroloo[.]shop with the command:

The downloaded content at Grpc.eml was about 18 MB in size, which can indicate a large amount of embedded content, such as one or more embedded executable files. This type of LummaC2 configuration appears to be using Grpc.eml as the process injection source, targeting powershell.exe with no command-line interface (CLI) to leverage its memory space for the next phases of LummaC2 execution.

The above LummaC2 execution is very different from one we observed in November 2024 and previously shared, illustrating the variety of observable behaviors and artifacts that can be seen in different LummaC2 configurations.

The crypter connection

Behavioral detection of LummaC2 can vary quite a bit since it requires distributors to use crypters. Multiple detection analytics could catch LummaC2 simply because an adversary configured the crypter in a particular way. Crypters that we’ve observed paired with LummaC2 include PureCrypter and CypherIT.

Depending on the delivery method and adversary configurations, LummaC2 may be injected into a hollowed process—we’ve observed OpenWith.exe and more.com, among others—or leverage DLL side-loading for execution. The stealer activity occurs within memory with direct exfiltration to C2, however in some cases collected data may be staged in text files like System.txt prior to ZIP archiving for theft. This means that looking for C2 activity or suspicious TXT file creation may also help detect LummaC2. It does not maintain persistence on its own, however accompanying loaders or follow-on payloads may create and maintain persistence.

Emerging tradecraft

LummaC2 relies on HTTPS for exfiltration of data to adversary systems. In late 2023 to early 2024, the developers of the stealer migrated its exfiltration capabilities to use HTTPS over plaintext HTTP in an effort to to evade network-based detection controls. Along with using HTTPS for encrypted communications, LummaC2 developers also leverage Cloudflare services to make their exfiltration systems resilient and highly available.

As the stealer became more mature in 2024, LummaC2 incorporated more features to remain on the bleeding edge of the stealer market. To ensure data exfiltration even when interrupted, the LummaC2 developers included functionality to send information in piecemeal rather than doing the “collect, stage, send” technique. In addition, when Google implemented application bound encryption (ABE) in Chromium browsers, LummaC2 was rapid to adopt new techniques to obtain browser cookies and bypass ABE.

Prevention

Since LummaC2 has been distributed in so many different ways, preventative measures can take many approaches. We’ve observed LummaC2 distributed in malicious advertisements, fake software installations, paste-and-run campaigns, and more. We’ve also observed it delivered in script form, via DLL sideloads.

General preventative measures that apply to multiple malware families also help fight against LummaC2:

• Provide safe software installation sources for users
• Configure ad-blocking tools where possible
• Deploy endpoint security controls for detection and protection

Response

For response, an excellent playbook would look something like this:

1. Delete all components delivering LummaC2 from disk, removing persistence
2. Determine what account details are stored in the software on an affected system, including:
   • browsers
   • file transfer software like FileZilla and WinSCP
   • Telegram messaging
   • steam gaming
   • cryptocurrency wallets
   • VPN profiles
   • cloud credentials in CLI tool configuration
   • sensitive files stored in the user’s Desktop and Documents folders
3. Once you determine the scope of data theft, take steps to reset any credentials stored on the system. This may also involve manually revoking sessions to prevent cookie reuse.
4. Finally, if financial details such as payment cards or cryptocurrency wallets are stored on the affected system, users may need to monitor the relevant accounts for unauthorized transactions.

Detection opportunity: PowerShell using invoke-expression to download content

This pseudo-detection analytic identifies instances of PowerShell using invoke-expression to download content from an HTTP URL. Adversaries attempting to deliver threats like LummaC2 use this function to download remotely hosted scripts and code for further exploitation of an endpoint. Note that legitimate package management and orchestration utilities like Chocolatey may use this function to update themselves.

Note: * is a placeholder for strings associated with legitimate use of this function in your environment