Lumma Stealer, also known as LummaC2, is a subscription-based malware-as-a-service, leased to cybercriminals for prices ranging between $250 to $1,000. This malicious software enables cyber attacks to extract sensitive data from various sources like web browsers and applications operating on Windows versions 7 through 11. The stolen information encompasses a wide array, including passwords, cookies, credit card details, and data from cryptocurrency wallets.
This family of malware became available for purchase on illicit online forums for the first time in December 2022. Within a few months, KELA, a threat intelligence firm, reported its swift rise in popularity within the clandestine realms of the hacking community.
Malware devs turn to trigonometry
In the latest Outpost24 report analyzing Lumma Stealer version 4.0, several notable enhancements have been identified, enhancing the malware’s ability to avoid detection and impede automated analysis of its samples.
These evasion methods encompass advanced techniques such as control flow flattening obfuscation, human-mouse activity recognition, XOR encrypted strings, dynamic configuration file support, and mandatory encryption usage across all builds.
Among these methods, the most intriguing is the utilization of trigonometry to discern human-like behavior, effectively distinguishing between a genuine host system and a simulated virtual environment.
Specifically, the malware tracks the movement of the mouse cursor using the ‘GetCursor()’ function, capturing five distinct positions at precise 50-millisecond intervals to emulate human-like interaction with the system.
Employing trigonometry, Lumma deciphers these positions as Euclidean vectors, determining both the angles and vector magnitudes formed by the observed movements.
When the calculated vector angles fall below 45 degrees, Lumma perceives the actions as genuine, permitting the execution to proceed uninterrupted.
However, if the angles measure 45 degrees or higher, the malware suspends its malicious operations temporarily. Instead, it monitors mouse activity until it detects behavior mimicking human interaction. This 45-degree threshold is arbitrarily set within Lumma’s anti-sandbox strategy, likely determined through empirical data or research on automated analysis tool functionality.
Another notable Lumma update involves a mandatory requirement for a crypter to safeguard the malware executable, preventing its exposure to non-paying hackers and security analysts.
Lumma now automatically verifies a specific value at a designated offset in the executable file to ascertain if it’s encrypted. If not, it issues a warning. Additionally, as a final defense against scrutiny, Lumma 4.0 introduces complexities within its code, including opaque predicates complicating program logic and injected blocks of dormant code within functional segments, intentionally causing confusion and errors during analysis.
The latest iteration of Lumma Stealer emphasizes evasion techniques, introducing intricate layers of defense to impede any attempts at analysis and comprehension of its inner workings.
Source – https://www.bleepingcomputer.com/
