Highlights:

  • LummaC2 v4.0 stands out due to its unique anti-sandbox mechanism.
  • LummaC2 v4.0 utilizes trigonometry to differentiate human from artificial mouse movements, posing a challenge for cybersecurity researchers in analyzing and countering these threats.

A recent cybersecurity report from Outpost24 AB cautions about an updated variant of a well-known malware-as-a-service product. This version employs a novel anti-sandbox technique based on human behavior detection using trigonometry.

LummaC2 v4.0, an upgraded version of the well-known LummaC2 information stealer, has emerged. This type of malware is designed to secretly extract confidential data from infected devices, such as login credentials, financial information, and personal identifiers. The latest rendition of this malware signifies a significant enhancement in its capabilities.

While information stealers are nothing novel, its unique anti-sandbox feature sets LummaC2 v4.0 apart. This updated version postpones the activation of the malware until it identifies authentic human mouse activity, effectively thwarting analysis systems that struggle to replicate realistic mouse movements. Leveraging trigonometry, LummaC2 v4.0 can distinguish between genuine human and simulated mouse movements, impeding the endeavors of cybersecurity researchers to analyze and address such threats.

Apart from its anti-detection strategy, LummaC2 v4.0 adds multiple other features that improve its efficacy and evasiveness. Control Flow Flattening Obfuscation is at the top of the list, a default setting in the malware that interferes with the program’s normal flow and makes it harder for cybersecurity experts to analyze. The obfuscation method is essential for hiding the real purpose of the malware and making it more difficult to decipher its code.

With LummaC2 v4.0, the method for securing sensitive strings inside the code has been improved. In order to keep its strings hidden and safe from simple analysis techniques, the malware has shifted from making simple changes to employing XOR encryption. It is a symmetric encryption technique that employs the XOR (exclusive or) logical operation to blend plaintext with a key. This makes it a simple yet efficient approach to achieve data obfuscation.

In the latest version, another significant upgrade is the introduction of dynamic configuration files. These files, vital for the malware’s functioning, are retrieved from the command and control center. To enhance security, they undergo Base64 encoding and are then subjected to XORed, introducing a layer of intricacy to the decryption process.

The compulsory utilization of crypters for constructing malware is being strictly mandated. This necessity guarantees that every occurrence of the malware undergoes unique obfuscation, consequently lowering the chances of detection by conventional antivirus and malware detection tools.

The report concludes, “Information Stealers such as LummaC2 v4.0 pose significant risks and have the potential to inflict substantial harm on both individuals and organizations, including privacy breaches and the unauthorized exposure of confidential data. The ongoing usage of this malware in real-world scenarios indicates that it will likely continue to evolve, incorporating more advanced features and security measures in the future.”