LummaC2 Infostealer Resurfaces With Obfuscated PowerShell Tactics

LummaC2, an infostealer malware actively exploiting PowerShell commands, has resurfaced to infiltrate and exfiltrate sensitive data. 

Discovered by cybersecurity researchers at Ontinue, the malware’s latest variant demonstrates sophisticated tactics that pose significant risks to targeted systems.

LummaC2, initially identified in Russian-speaking forums in 2022, is a tool written in C and distributed as Malware-as-a-Service (MaaS). It is designed to steal sensitive information from infected endpoints, including credentials and personal data. 

The new report, published today, details how LummaC2’s initial attack vector involves obfuscated PowerShell commands that download and execute payloads, often using Microsoft’s legitimate LOLbins (Living-off-the-Land binaries) such as Mshta.exe and Dllhost.exe for malicious purposes.

New LummaC2 Variant: Key Findings

  • Stages of infection: The malware operates in multiple stages, starting with an encoded PowerShell command that downloads additional malicious scripts and files. These scripts are then decrypted and executed on the target device, often masquerading as legitimate files to evade detection

  • Use of LOLbins: LummaC2 leverages Mshta.exe to run HTML application files for its initial payload execution. This allows the malware to remain stealthy by utilizing trusted Windows binaries

  • Persistence techniques: The malware achieves persistence by writing to common registry locations that ensure it starts automatically with the system, allowing continuous access to compromised devices

  • Command-and-control (C2): The malware communicates with its C2 server via POST requests, exfiltrating stolen data and receiving instructions. The process “dllhost.exe” is exploited for this communication, allowing attackers to manipulate the compromised system remotely

Read more on LummaC2-enabled attacks: Famous YouTube Channels Hacked to Distribute Infostealers

The implications of these findings are concerning. As Ontinue analysis shows, LummaC2’s techniques align with various MITRE ATT&CK frameworks, such as Process Injection (T1055) and Persistence via Registry Modification (T1547.001). 

The firm emphasized the need for enhanced endpoint monitoring and implementation of security measures like attack surface reduction (ASR) rules to counteract these sophisticated threats.

Organizations are also advised to deploy endpoint detection and response (EDR) solutions and monitor unusual behavior, particularly those involving trusted processes like dllhost.exe.