Lummac2

Malware updated 2 days ago (2024-09-05T14:17:58.823Z)

Download STIX

Preview STIX

LummaC2 is a dynamic malware strain, first identified in Russian-speaking forums in 2022. It's written in C and distributed as Malware-as-a-Service (MaaS). The malware has been actively exploiting PowerShell commands to infiltrate systems and exfiltrate sensitive data. In 2023, LummaC2's use expanded alongside several other malware families such as Nokoyawa and BlackBasta ransomware, Minodo, Diceloader, Canyon, Aresloader, Vidar, among others. This expansion was facilitated by obtaining or purchasing malware from FIN7 developers and other sources. Researchers have observed that LummaC2 4.0 remains under active development, with constant updates being made to its features. These include enhancements to its obfuscation techniques and control panel. It uses sophisticated tactics like Process Injection and Persistence via Registry Modification, aligning with various MITRE ATT&CK frameworks. Furthermore, it leverages Microsoft's legitimate Living-off-the-Land binaries (LOLbins) such as Mshta.exe and Dllhost.exe for malicious purposes. If the malware does not detect human-like behavior during its operations, it restarts its process from the beginning, making it highly persistent and hard to detect. In addition to its original deployment, LummaC2 has been found in new malware strains used for initial access or information stealing, including SVCReady, CargoBay, Matanbuchus, Pikabot, Aresloader, Vidar, and Minodo. Two notable instances of this were found in files named "phoneoutsourcing.exe" related to the RisePro stealer and "647887023.png", which led to an infection with the LummaC2 stealer. Threat actors are distributing two different infostealers, Vidar and LummaC2, indicating a growing trend in its usage and evolution.

Description last updated: 2024-09-05T13:18:23.696Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Lummac2 Stealer	2	LummaC2 Stealer is a prominent malware that has been increasingly utilized for initial access or information stealing over the past year. This malicious software, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or devices by

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Infostealer

Sandbox

Infostealers

Credentials

Payload

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Vidar	Unspecified	3	Vidar is a type of malware specifically designed to infiltrate and exploit Windows-based systems. It's written in C++ and is based on the Arkei stealer, which means it has the capability to steal personal information from infected devices. Vidar has been found impersonating legitimate software appli
Raccoon	Unspecified	2	Raccoon is a type of malware, specifically an infostealer, used predominantly by the Scattered Spider threat actors to obtain login credentials, browser cookies, and histories. This malicious software, which is sold as Malware-as-a-Service (MaaS) on dark web forums, is both effective and inexpensive
Redline	Unspecified	2	RedLine is a notorious malware that has been widely used by cybercriminals to steal sensitive information. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal data or disrupting operations. RedLine's conf

Source Document References

Information about the Lummac2 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	3 days ago	Would-Be OnlyFans Hackers Targeted With Infostealer
InfoSecurity-magazine	10 days ago	LummaC2 Infostealer Resurfaces With Obfuscated PowerShell Tactics
InfoSecurity-magazine	5 months ago	Famous YouTube Channels Hacked to Distribute Infostealers
CERT-EU	6 months ago	CVE-2024-21412 Used in DarkGate Malware Campaigns
CERT-EU	6 months ago	ChatGPT credentials snagged by infostealers on 225K infected devices
CERT-EU	6 months ago	Alert: Info Stealers Target Stored Browser Credentials
BankInfoSecurity	6 months ago	Alert: Info Stealers Target Stored Browser Credentials
CERT-EU	6 months ago	IBM X-Force Threat Intelligence Index 2024
CERT-EU	6 months ago	Ransomware crews lean into infostealers for initial access
CERT-EU	8 months ago	Activity of Rugmi malware loader spikes
CERT-EU	a year ago	Xenomorph Android Banking Trojan Makes Landfall in US
DARKReading	9 months ago	Malware Uses Trigonometry to Track Mouse Strokes
CERT-EU	10 months ago	LummaC2 v4.0 Malware Stealing Data with Trigonometry to Detect Human Users
CERT-EU	10 months ago	LummaC2 4.0 infostealer uses trigonometry to avoid sandboxes
CERT-EU	10 months ago	Malware Uses Trigonometry to Track Mouse Strokes
CERT-EU	10 months ago	Lumma Stealer malware now uses trigonometry to evade detection
InfoSecurity-magazine	10 months ago	Infostealer Lumma Evolves With New Anti-Sandbox Method
CERT-EU	10 months ago	LummaC2 Malware Deploys New Trigonometry-Based Anti-Sandbox Technique
CERT-EU	10 months ago	Microsoft: Octo Tempest is one of the most dangerous financial hacking groups
CERT-EU	a year ago	Data Thieves Test-Drive Unique Certificate Abuse Tactic