Figure 12 – Stealer Targeting Crypto Wallet And 2FA Extensions The figure below shows the wallets and 2FA extensions that the stealer targets. The stealer now searches for more information associated with the browser, such as crypto wallet and two-factor authentication (2FA) extensions that may have been installed. Figure 11 – Stealer Checking for the Browsers in System The figure below shows the code to check the browsers. Figure 10 – Initial C&C Communication of the StealerĪfter sending the stolen information, the stealer checks for the following browsers installed on the system: Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, and Mozilla Firefox and steals sensitive information from the browsers. Figure 9 – The Stealer Targeting WalletsĪfter collecting the victim’s wallet and system details, the stealer sends this information to its C&C server, as shown below. The below figure shows the code snippet of stealers targeting crypto wallets. The stealer also targets crypto wallets such as Binance, Electrum, and Ethereum and collects sensitive information from the victim’s machine. These grabbed files are stored in the memory under the name “ Important Files/Profile” for exfiltration. The stealer now enumerates the %userProfile% directory and grabs. Figure 8 – System Information Extracted by the Stealer The below figure shows the code snippet of malware for collecting system information. The malware stores this information in the memory under the name system.txt. It starts extracting multiple pieces of information from the system, including LummaC2 Build, Lumma ID, Hardware ID, Screen Resolution, System Language, CPU Name, and Physical Memory. Figure 7 – Assembly Code to Replace the edx765 StringĪfter getting the required strings, the malware resolves the APIs. The figure below shows the routine for string manipulation. Upon execution, the stealer passes the obfuscated string to a function that strips the random string and delivers the original string. The stealer has many Obfuscated strings that are being covered by a random string, “edx765”, to evade detection. Figure 6 – File Details of LummaC2 Stealer The figure below shows the additional file details of the LummaC2 stealer executable. The figure below shows the login page of the LummaC2 Stealer’s Command and Control (C&C) server. The figure below illustrates the IP addresses of these servers, one located in Bulgaria and the other in Germany. The researchers at CRIL found two active Command and Control servers connected to the LummaC2 Stealer. Figure 3 – Telegram Post by the Threat Actors In addition, Threat Actors (TAs) behind the LummaC2 Stealer have created two Telegram channels in Russian: one for sharing information about the stealer and one for reporting bugs in the malware. Figure 2 – LummaC2 Stealer Sellers Website The image below shows the website where the stealer is available for sale. The website also offers various purchasing options for potential Threat Actors(TAs), with prices ranging from $250 to $20000 depending on the plan. The post also mentioned the link to LummaC2 Stealer’s seller website, which is written in Russian. Figure 1 – Dark Web Post for LummaC2 Stealer The figure below shows the dark web post by the Threat Actors. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine. New Stealer Targeting Crypto Wallets and 2FA Extensions of Various Browsersĭuring a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers.
0 Comments
Leave a Reply. |