Lummac2

Malware updated 2 days ago (2024-11-21T16:30:59.725Z)

Download STIX

Preview STIX

LummaC2 is a malicious software (malware) that was initially identified in Russian-speaking forums in 2022. The malware, written in C and distributed as Malware-as-a-Service (MaaS), has been actively developed over time, with researchers noting that LummaC2 4.0 operates as a dynamic malware strain. It's designed to steal information from infected systems and is known for its obfuscated PowerShell tactics. Techniques such as shellcode encryption, code obfuscation, and embedding LummaC2 and Rhadamanthys information stealers into legitimate binaries are used to evade antivirus detection and sandbox analysis. In 2023, the use of LummaC2 expanded alongside several other malware families including Nokoyawa and BlackBasta ransomware, Minodo, Diceloader, Aresloader, and Canyon. These malwares were obtained or purchased from FIN7 developers. LummaC2 has also appeared in new malware strains used for initial access or information stealing, such as SVCReady, CargoBay, Matanbuchus, Pikabot, Aresloader, Vidar, and Minodo. This shows a significant broadening of its application across different cyber threat landscapes. The initial attack vector of LummaC2 involves obfuscated PowerShell commands that download and execute payloads, often leveraging Microsoft’s legitimate Living-off-the-Land binaries (LOLbins) like Mshta.exe and Dllhost.exe for malicious purposes. LummaC2's techniques align with various MITRE ATT&CK frameworks, such as Process Injection (T1055) and Persistence via Registry Modification (T1547.001). The continuous development and adaptation of LummaC2 highlight the evolving nature of cyber threats and underscore the need for robust, up-to-date cybersecurity measures.

Description last updated: 2024-11-21T16:05:49.729Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Lummac2 Stealer is a possible alias for Lummac2. LummaC2 Stealer is a type of malware that has gained significant attention due to its capacity to steal sensitive information, including digital wallets and user credentials. It can even target two-factor authentication (2FA) browser extensions, making it particularly threatening. Over the past year	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Infostealer

Payload

Credentials

Ransomware

Sandbox

Infostealers

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Redline Malware is associated with Lummac2. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actor	Unspecified	3
The Vidar Malware is associated with Lummac2. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malw	Unspecified	3
The Raccoon Malware is associated with Lummac2. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $	Unspecified	2

Source Document References

Information about the Lummac2 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	2 days ago	Lumma Stealer Proliferation Fueled by Telegram Activity
Malwarebytes	12 days ago	Hello again, FakeBat: popular loader returns after months-long hiatus \| Malwarebytes
DARKReading	23 days ago	Facebook Businesses Targeted in Infostealer Phishing Campaign
InfoSecurity-magazine	3 months ago	Would-Be OnlyFans Hackers Targeted With Infostealer
InfoSecurity-magazine	3 months ago	LummaC2 Infostealer Resurfaces With Obfuscated PowerShell Tactics
InfoSecurity-magazine	7 months ago	Famous YouTube Channels Hacked to Distribute Infostealers
CERT-EU	8 months ago	CVE-2024-21412 Used in DarkGate Malware Campaigns
CERT-EU	9 months ago	ChatGPT credentials snagged by infostealers on 225K infected devices
CERT-EU	9 months ago	Alert: Info Stealers Target Stored Browser Credentials
BankInfoSecurity	9 months ago	Alert: Info Stealers Target Stored Browser Credentials
CERT-EU	9 months ago	IBM X-Force Threat Intelligence Index 2024
CERT-EU	9 months ago	Ransomware crews lean into infostealers for initial access
CERT-EU	a year ago	Activity of Rugmi malware loader spikes
CERT-EU	a year ago	Xenomorph Android Banking Trojan Makes Landfall in US
DARKReading	a year ago	Malware Uses Trigonometry to Track Mouse Strokes
CERT-EU	a year ago	LummaC2 v4.0 Malware Stealing Data with Trigonometry to Detect Human Users
CERT-EU	a year ago	LummaC2 4.0 infostealer uses trigonometry to avoid sandboxes
CERT-EU	a year ago	Malware Uses Trigonometry to Track Mouse Strokes
CERT-EU	a year ago	Lumma Stealer malware now uses trigonometry to evade detection
InfoSecurity-magazine	a year ago	Infostealer Lumma Evolves With New Anti-Sandbox Method