New Stealer Targeting Crypto Wallets and 2FA Extensions of Various Browsers
During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine.
The figure below shows the dark web post by the Threat Actors.
The post also mentioned the link to LummaC2 Stealer’s seller website, which is written in Russian. The website also offers various purchasing options for potential Threat Actors(TAs), with prices ranging from $250 to $20000 depending on the plan.
The image below shows the website where the stealer is available for sale.
In addition, Threat Actors (TAs) behind the LummaC2 Stealer have created two Telegram channels in Russian: one for sharing information about the stealer and one for reporting bugs in the malware.
The researchers at CRIL found two active Command and Control servers connected to the LummaC2 Stealer.
The figure below illustrates the IP addresses of these servers, one located in Bulgaria and the other in Germany.
The figure below shows the login page of the LummaC2 Stealer’s Command and Control (C&C) server.
The LummaC2 Stealer is a 32-bit GUI type executable with sha256 d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264.
The figure below shows the additional file details of the LummaC2 stealer executable.
The stealer has many Obfuscated strings that are being covered by a random string, “edx765”, to evade detection. Upon execution, the stealer passes the obfuscated string to a function that strips the random string and delivers the original string.
The figure below shows the routine for string manipulation.
Collects System Information:
After getting the required strings, the malware resolves the APIs. It starts extracting multiple pieces of information from the system, including LummaC2 Build, Lumma ID, Hardware ID, Screen Resolution, System Language, CPU Name, and Physical Memory. The malware stores this information in the memory under the name system.txt.
The below figure shows the code snippet of malware for collecting system information.
The stealer now enumerates the %userProfile% directory and grabs .txt files from the Victims machine. These grabbed files are stored in the memory under the name “Important Files/Profile” for exfiltration.
The stealer also targets crypto wallets such as Binance, Electrum, and Ethereum and collects sensitive information from the victim’s machine. The below figure shows the code snippet of stealers targeting crypto wallets.
After collecting the victim’s wallet and system details, the stealer sends this information to its C&C server, as shown below.
After sending the stolen information, the stealer checks for the following browsers installed on the system: Chrome, Chromium, Edge, Kometa, Vivaldi, Brave, Opera Stable, Opera GX Stable, Opera Neon, and Mozilla Firefox and steals sensitive information from the browsers.
The figure below shows the code to check the browsers.
Crypto Wallets and 2FA Extensions:
The stealer now searches for more information associated with the browser, such as crypto wallet and two-factor authentication (2FA) extensions that may have been installed.
The figure below shows the wallets and 2FA extensions that the stealer targets.
In addition, the stealer can also steal browser history, login information, network cookies, and more from the system, as shown below.
Command & Control Communication
Finally, the stealer encrypts the data obtained from the infected system and sends it to the C&C server, as shown below.
The figure below depicts the C&C communication of the stealer.
LummaC2 behaves in a manner comparable to other stealer-type malware, which can take away both system and sensitive data from the victim’s machine. These dangerous programs usually have the capacity to take information from web browsers and target Crypto wallets and 2FA extensions.
The additional information stored on web browsers, such as login credentials, PII, and financial information, can be further leveraged to conduct fraud activities as well.
Threat actors can use the stolen data to steal cryptocurrencies from the victim’s accounts, or alternatively, they can sell this data to other threat actors for financial gain.
CRIL continuously monitors emerging threats and will continue to keep readers informed.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Malware Attacks
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
Users Should Take the Following Steps After the Malware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Malware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Monetary loss.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Deobfuscate/Decode Files or Information|
|System Information Discovery |
File and Directory Discovery
|Automated Collection |
Data from the Local System
|Command and Control||T1071||Application Layer Protocol|
Indicators of Compromise (IoCs)