In this post, we’ll take a deep dive into a new Anti-Sandbox technique that LummaC2 v4.0 stealer is using to avoid detonation if no human mouse activity is detected. To be able to reproduce the analysis, we will also assess the packer and LummaC2 v4.0 new Control Flow Flattening obfuscation (present in all samples by default) to effectively analyze the malware. Analysis of the packer is also relevant, as the threat actor selling LummaC2 v4.0 strongly discourages spreading the malware in its unaltered form.

LummaC2 v4.0 updates

LummaC2 is an information stealer written in C language sold in underground forums since December 2022. You can find an in-depth analysis of the malware assessing LummaC2’s primary workflow, its different obfuscation techniques, and how to overcome them to effectively analyze the malware with ease. The malware has since gone through different updates and is currently on version 4.0.

Some of these significant updates include:

• Control Flow Flattening obfuscation implemented in default builds (even without using a packer).

• New Anti-Sandbox technique to delay detonation of the sample until human mouse activity is detected.

• Strings are now XOR encrypted instead of simply modified by adding junk strings in the middle.

• Supports dynamic configuration files retrieved from the C2. The configuration is Base64 encoded and XORed with the first 32 bytes of the configuration file.

• Enforces threat actors to use a crypter for their builds.

Some of these functionalities have been covered in recent publications.

Packer

The malware that is going to be analyzed during these lines comes from the sample b14ddf64ace0b5f0d7452be28d07355c1c6865710dbed84938e2af48ccaa46cf. The initial component within the sample is the Packer, which serves as the outer layer of LummaC2 v4.0. Its primary function is to obfuscate the malicious payload and facilitate its execution during runtime without the need for spawning additional processes in the system (using CreateThread instead). The packer’s architecture consists of two distinct layers.

We will now delve into the steps the malware takes to execute the payload through these layers, as well as the various techniques it employs to hinder and slow down the analysis process.

Layer 1

The first layer uses a lot of assembly junk instructions, they differ between packed samples but do not execute any relevant action. Then it will use obfuscation techniques like push+ret and jz+jnz to break disassembly and complicate the analysis, as it can be seen in the following figure:

The malware then executes a lot of junk instructions that do not alter the functionality of the program and proceeds to enter in a big and useless loop; which could be considered as an “anti-emulation” technique. It also checks that the value calculated at the end of the loop is the one expected to ensure the loop is actually performed. It then continues by creating a Mutex to ensure no more copies of the malware run at the same time in the infected machine. The Mutex name varies between samples.

After this initial logic, the packer starts by decrypting a 15 characters API from kernel32.dll. The string is encrypted and built in the stack byte per byte. The API being resolved is “VirtualProtect” used to give PAGE_EXECUTE_READWRITE protections to a fixed address that will contain the second layer.

After VirtualProtect is successfully executed, it proceeds to decrypt the second stage with fixed hardcoded size of 6556 bytes. Once the layer has been decrypted, execution is transferred via call instruction with the fixed address of the second layer. The following picture shows the decryption algorithm for the next layer:

Layer 2

This layer is very similar to the first one as it uses the same obfuscation techniques to break disassembly and slow down analysis. However, this second stage will eventually extract, decrypt and execute LummaC2 v4.0. This is accomplished by loading a resource using LoadResource and LockResource. The Resource Name is hardcoded as “3” and contains the final stage (encrypted).

The resource is decrypted using a very similar algorithm from the first layer, constants change but the algorithm remains the same.

Once the resource has been decrypted, the packer will check if this resource is a PE file, (it checks if “PE” magic is present at offset 0x3C from the base address of the decrypted resource). If the check fails, the program finishes abruptly. This shows how the packer is only expecting a PE in its resources.

A copy of the decrypted resource is then made into an allocated buffer. At this point, we can safely dump the unpacked memory just after it has been written decrypted in the allocated buffer (and before relocations are made). We will have now the unpacked LummaC2 v4.0 stealer, which we can dump for further analysis.

The packer finally loads this new PE in its process virtual address space by copying the payload and applying relocations. Finally, it will execute its Original EntryPoint via CreateThread using NTHeaders->OptionalHeader.AddressOfEntryPoint as the ThreadRoutine parameter.

This will transfer execution to the unpacked LummaC2 v4.0. The following figure shows the main routine of the malware:

Control Flow Flattening

Control Flow Flattening is an obfuscation technique aimed at breaking the original flow of the program and complicating its analysis. Furthermore, it makes use of opaque predicates and dead code to complicate analysis and make identification of relevant blocks more difficult.

Opaque predicates are employed to introduce intricacy into the primary program logic. Typically, this is achieved by creating additional branches within the control flow, often through the utilization of conditional jumps. Even though these conditional jumps are present, the overall behavior of the program remains deterministic.

Dead code refers to parts of the malicious code that are inactive or unreachable during the execution of the malware. Dead code may include obsolete functions, unused variables, or entire blocks of instructions that do not contribute to the malware’s intended functionality. In LummaC2 v4.0 some dead code blocks can be recognized by the use of calls to other identified routines of the analyzed malware with invalid parameters, for instance.

The following picture represents the control flow of a program before and after Control Flow Flattening has been applied. As can be seen, this obfuscation technique is used to break the flow of a program by flattening it.

This detailed depiction of Qarkslab provides a more in-depth exploration of the distinct elements within a control flow graph that has been subjected to Control Flow Flattening obfuscation.

When dealing with this form of obfuscation, the initial step involves identifying the main dispatcher, the relevant blocks, and the predispatcher.

The main dispatcher represents the program block where execution always returns after completing one of its branches.

The relevant blocks encompass those blocks integral to the functional program, as evident in the initial representation, such as Block 1 and Block 2, etc.

The predispatcher holds the responsibility of altering the parameter’s value, which the main dispatcher evaluates to determine the redirection of the execution flow toward a specific branch.

We will now delve into the initial routine executed by the unpacked LummaC2 v4.0, which incorporates an anti-sandboxing technique that we will examine in more detail shortly.

Control structure on stack

Trying to identify relevant blocks is not easy when CFF has been applied. We are going to analyze how this routine manages its control flow in order to make analysis easier. LummaC2 v4.0 will mostly store the value needed for the control flow dispatchers (sometimes more than one value is used to redirect the flow of the program) either in a local variable or at an offset to a memory location pointed to by a register.

The following picture shows the first instructions executed in the routine, (which is the responsible for executing anti-sandbox protection), the “prologue”. As can be seen, an extra stack space of 0xD8 bytes is reserved and assigned to ESI register. This register will be used throughout the entire routine accessing at offsets relative to it.

To ease analysis, we can create a Structure that will hold a maximum of the extra stack space allocated and fill its values while we are reverse engineering the sample.

Relevant blocks

Unit42 researchers published an IDA Python script to help reverse engineering complex code. The following code is a slightly modified version of the one presented so that it runs in IDA Python 7.4+ and allows to execute in a running debugging session providing an end_address.

def init_heads(start_addr=None, end_addr=None): 
    if not start_addr or not end_addr: 
        start_addr = idc.get_segm_start(idc.get_screen_ea()) 
        end_addr = idc.get_segm_end(idc.get_screen_ea()) 
 
    heads = Heads(start_addr, end_addr) 
  
    for i in heads: 
        idc.set_color(i, CIC_ITEM, 0xFFFFFF) 
  
  
def get_new_color(current_color): 
    colors = [0xffe699, 0xffcc33, 0xe6ac00, 0xb38600] 
    if current_color == 0xFFFFFF: 
        return colors[0] 
    if current_color in colors: 
        pos = colors.index(current_color) 
    if pos == len(colors)-1: 
        return colors[pos] 
    else: 
        return colors[pos+1] 
    return 0xFFFFFF # Default color 
  
 
def main_debug(end_addr): 
    if not end_addr: 
        print("[!] Error, end_addr for main_debug not specified.") 
        return 
 
    idc.enable_tracing(TRACE_STEP, 1) 
    event = ida_dbg.wait_for_next_event(WFNE_ANY|WFNE_CONT, -1) # Continue the debugger, now configured for step tracing 
 
    while True: 
        event = ida_dbg.wait_for_next_event(WFNE_ANY, -1) 
        addr = idc.get_event_ea() 
 
        if end_addr: 
            if addr == end_addr: 
                print("[.] End address reached.") 
                break 
 
        current_color = idc.get_color(addr, CIC_ITEM) 
        new_color = get_new_color(current_color) 
 
        idc.set_color(addr, CIC_ITEM, new_color) 
 
        if event <= 1: 
            print("[.] Finished debugging.") 
            break 
 
    ida_dbg.suspend_process() # Wait for debugger to reach this point. PROGRAM FINISHED after this 
  
 
if __name__ == '__main__': 
    start_addr = None 
    end_addr = 0x011D21B8 
    init_heads(start_addr, end_addr)    # Set white color (default) 
    main_debug(end_addr) 

With this script, we can (in a debugging session) select an end_address and let the debugger execute until this address is reached (or the debugging session is finished by other means). As the debugger runs, it will color the instructions it executes. The darker the instruction looks, the more times the debugger executed it.

As a result, we can easily identify those code blocks that got executed multiple times (they may be pre-dispatcher blocks), those that got executed only once and even detect dead code blocks that never get executed. This can significantly improve the reversing experience of the malware sample, especially if we can avoid looking at dead code.

New Anti-Sandbox technique: Using trigonometry to detect human behavior

LummaC2 v4.0 makes use of a novel anti-sandbox technique that forces the malware to wait until “human” behavior is detected in the infected machine. This technique takes into consideration different positions of the cursor in a short interval to detect human activity, effectively preventing detonation in most analysis systems that do not emulate mouse movements realistically.

The malware first starts by getting the initial position of the cursor with GetCursorPos() and waits in a loop for 300 milliseconds until a new capture of the cursor position is different from the initial one.

Once it has detected some mouse movement (as the cursor position has changed) it will save the next 5 positions of the cursor executing GetCursorPos() with a small Sleep of 50 milliseconds between them.

After these 5 cursor positions have been saved, (let’s name them for now on P0, P1, …, P4), the malware checks if every captured position is different from its preceding one. For instance, it checks if ((P0 != P1) && (P1!= P2) && (P2 != P3) && (P3 != P4)). If this condition is not met, LummaC2 v4.0 will start again capturing a new “initial position” with a Sleep of 300 milliseconds until mouse movement is found and save new 5 cursor positions. This process will repeat forever until all consecutive cursor positions differ.

At this point we know the malware ensures that detonation will not occur until mouse is moved “quickly”. (Sandbox solutions that emulate mouse with less frequency will never detonate the malware).

After checking that all 5 captured cursor positions meet the requirements, LummaC2 v4.0 uses trigonometry to detect “human” behavior. If it does not detect this human-like behavior, it will start the process all over again from the beginning. The following lines explain the logic the malware follows.

Let’s assume here we have our 5 captured cursor positions (with a gap of 50 milliseconds between them) named P0, P1, …, P4.

LummaC2 is going to treat these coordinates points as Euclidean vectors. As a result, captured mouse positions form 4 different vectors: P01, P12, P23, P34.

LummaC2 v4.0 then calculates the angle that is formed between consecutive vectors P01-P12, P12-P23 and P23-P34 sequentially. Here we can see an example of the different angles that are calculated:

To get the magnitude of a vector (shortest distance between two points), the Euclidean distance formula is used. To calculate the angle between two Euclidean vectors, it makes use of the dot product of vectors and transforms the result from radians to degrees. This can be seen in the following figures:

The result is finally converted to degrees and compared against a threshold of 45.0º degrees, which is hardcoded in the malware sample and initialized at the beginning of the anti-sandbox routine (as it can be seen in previous Figure 13).

If all the calculated angles are lower than 45º, then LummaC2 v4.0 considers it has detected “human” mouse behavior and continues with its execution. However, if any of the calculated angles is bigger than 45º, the malware will start the process all over again by ensuring there is mouse movement in a 300-millisecond period and capturing again 5 new cursor positions to process.

In the following figure we can see how the anti-sandbox check is performed, once obtained the angle between two vectors in angle_between_vectors_degress. The difference_threshold is initialized at the beginning of the routine (which can be seen in Figure 13).

How to bypass LummaC2 v4.0 Anti-Sandbox technique

As we have seen, this technique allows the malware to delay detonation until “human” mouse movement is detected. Moreover, this mouse movement must be continuous and smooth. Moving the cursor tortuously, quickly to random positions, circles or changing abruptly the direction of the cursor movement, etc., will most likely result in the malware never detonating.

In order to detonate LummaC2 v4.0, mouse movement must be continuous (5 different positions will be captured in approximately 0.25 seconds) and it must be a smooth movement (without changing directions abruptly), given that angles between the vectors formed by these positions cannot exceed 45 degrees.

Forcing threat-actors to use a crypter for their builds

As we saw in earlier LummaC2 advertisements in underground forums, protecting the malware with a crypter was recommended to avoid leaking the malware anywhere in its pure form.

Newer versions of the malware added a new feature to avoid leaking the unpacked samples. In the case in which the sample being executed is not packed, the infected user will be presented with the following alert that allows them to prematurely finish the execution of the malware without any harm being caused to the infected machine.

This shows the lengths at which the malware developer is willing to go to avoid leaking unpacked samples.

LummaC2 v4.0 detects if the running executable is crypted by searching for a specific value at certain offset from the PE file. If this value is found, then the sample is not crypted. As we have previously seen, the packer sample does not create a new process to run the malware but uses a thread instead. Analyzing or executing the unpacked sample will result in this message box being displayed.

It will start by executing GetModuleFileNameW with hModule parameter 0 (to retrieve the path of the executable file of the current process) and obtaining a handle to the file for future reading via CreateFileW with dwDesiredAccess parameter set to GENERIC_READ. Then, it will get the size of the file with GetFileSizeEx and allocate a buffer of the obtained size using malloc. Following, a call to ReadFile is executed to fill the buffer with the contents of the executable file of the current process, as shown in the following Figure:

Afterwards, it will check using memcmp if a hardcoded mark is present at a hardcoded offset plus 8 bytes. If the contents match, the user is presented with the alert preventing detonation via NtRaiseHardError.

This hardcoded mark (which changes between samples) has been previously hashed to check for file integrity. If this integrity check does not match, the malware ends abruptly. However, this should not be any issue if the unpacking of the malware was successful.

The following picture shows the hardcoded mark and the hardcoded offset. As well as the contents of the unpacked version of the malware, which would show the alert upon execution.

Conclusion

Information Stealers such as LummaC2 v4.0 pose significant risks and have the potential to inflict substantial harm on both individuals and organizations, including privacy breaches and the unauthorized exposure of confidential data. As our analysis has revealed, LummaC2 v4.0 appears to be a dynamic malware strain that remains under active development, constantly enhancing its codebase with additional features and improved obfuscation techniques, along with updates to its control panel. The ongoing usage of this malware in real-world scenarios indicates that it will likely continue to evolve, incorporating more advanced features and security measures in the future. This evolution is further facilitated by an open channel for customers to request bug fixes and propose enhancements.

IOCs

Hashes

LummaC2 v4.0 (sample 1)

• b14ddf64ace0b5f0d7452be28d07355c1c6865710dbed84938e2af48ccaa46cf (packed)

• 4408ce79e355f153fa43c05c582d4e264aec435cf5575574cb85dfe888366f86 (unpacked)

LummaC2 v4.0 (sample 2)

• de6c4c3ddb3a3ddbcbea9124f93429bf987dcd8192e0f1b4a826505429b74560 (packed)

• 976c8df8c33ec7b8c6b5944a5caca5631f1ec9d1d528b8a748fee6aae68814e3 (unpacked)

C&Cs

curtainjors[.]fun

gogobad[.]fun

superyupp[.]fun

References

“The Case of LummaC2 v4.0”, September, 2023. [Online]. Available: https://www.esentire.com/blog/the-case-of-lummac2-v4-0 [Accessed November 05, 2023]

“Everything you need to know about the LummaC2 stealer: leveraging IDA Python and Unicorn to deobfuscate Windows API hashing”, April, 2023. [Online]. Available: https://malwareinternals.com/lummac2-stealer-everything-you-need-to-know [Accessed November 05, 2023]

“Using IDAPython to Make Your Life Easier: Part 4”, January, 2016. [Online]. Available: https://unit42.paloaltonetworks.com/using-idapython-to-make-your-life-easier-part-4 [Accessed November 05, 2023]

“A cryptor, a stealer and a banking trojan”, September, 2023. [Online]. Available: https://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/ [Accessed November 05, 2023]

“Deobfuscation: recovering an OLLVM-protected program”, December, 2014. [Online]. Available: https://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html [Accessed November 05, 2023]

“The Rise of the Lumma Info-Stealer”, September, 2023. [Online]. Available: https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer [Accessed November 05, 2023]

In this blog post, we will take a deep dive into a malware sample classified as LummaC2, an information stealer written in C language that has been sold in underground forums since December 2022. We assess LummaC2’s primary workflow, its different obfuscation techniques (like Windows API hashing and encoded strings) and how to overcome them to effectively analyze the malware with ease. We will also analyze how networking communications with the C2 work and summarize LummaC2’s MITRE Adversarial Tactics, Techniques and Common Knowledge.

This malware family is an evolution of its predecessor LummaC, developed by the same threat actor, and sold since August 2022 on underground forums.

New stealer for sale: LummaC2

The information stealer is offered for sale in several underground forums and via the official shop lumma[.]site by the threat actor "Shamel" using the alias “Lumma”, who is also responsible for the sales of the 7.62mm stealer. Advertisements hav been seen in other forums by the alias “LummaStealer”, which is presumably a reseller of the stealer.

As we will see in detail later, this malware targets crypto wallets, browser extensions, two-factor authentication (2FA) and steals sensitive information from the victim’s machine.

LummaC2 is offered at the following prices depending on the features offered:

• Experienced US$250;

• Professional US$500;

• Corporate account US$1,000.

An earlier version of the website seen in a screenshot on Cyble's article indicates that it was also possible to purchase the stealer and panel source code for a price of US$20,000.

The purchase of the stealer can be processed through the well-known cryptocurrency exchange Coinbase from a wide range of cryptocurrencies to choose from.

Deobfuscating LummaC2

LummaC2 Windows API call Obfuscation

LummaC2 makes use of API hashing, which is a common technique seen in malware in order to hide their functionality from tools relying on static information and to obfuscate the code, which makes it harder for an analyst to understand what the malware does.

The following picture shows an example of how Windows API calls are performed:

The malware executes a function that receives a DLL name string in EDX register(e.g “ntdll.dll”) and an input hash (in ECX register). This function internally resolves kernel32!LoadLibraryA to load the desired .dll (in this case “ntdll.dll”) and proceeds to parse its Export Table. It hashes each export name until it finds one that matches the input hash. This way it is able to resolve any Windows API Call, saving the address found in EAX register as a result. Then a call eax instruction will finally execute the desired Windows API call.

The hashing algorithm that LummaC2 uses to resolve Windows API calls is MurmurHash2 with 32 as seed value.

Defeating LummaC2 Windows API call Obfuscation

The following lines are aimed at removing the call obfuscation scheme for LummaC2 now that we know how it resolves Windows API calls. The idea is to automatically resolve all Windows API calls used in the code so that we have a better picture of the malware capabilities without the need of debugging and entering in every single path the malware can take to resolve all its possible calls.

To do so, we will generate a dictionary containing all the Windows API calls from a given set of Windows .dll files and their respective MurmurHash2. With this dictionary, we can then get every hash sent to the function resolving Windows Api calls and figure out which function is being resolved.

Preparing Windows API call hash dictionary

We could try and find a public implementation or MurmurHash2 but it is possible that the algorithm the malware uses may be altered in the future so that the standard implementation does not work. For this reason, another good approach is to use Unicorn, as it allows us to emulate the exact instructions that the malware executes.

Unicorn

The hashing routine is a “standalone” routine that we can extract easily from the binary and does not have any calls or jumps to other locations apart from the hashing routine itself. Which means we can run this shellcode in an emulated environment without previous patching to ensure everything is linked properly (with the exception of the last “return” instruction, which we should ignore for the emulation).

In this scenario, the malware hashing algorithm expects to have the string with the Windows API call in ECX register and the result hash (which we will read) is finally stored in EAX register.

As we now have all the data we need to emulate the binary, the last step for this part is to build the emulation environment for our code to run on. To accomplish this, we will use the open-source Unicorn Engine.

The first thing we want to do is initializing Unicorn for the architecture we want to emulate (x86 architecture), and map some memory to use. Next, we will write our shellcode to our memory space and initialize ECX pointing to our Export Name string. With all this in place, we are ready to run emulation and read the resulting hash in EAX register afterwards.

The following Python function uses Unicorn to emulate the hashing algorithm LummaC2 uses to resolve Windows API Calls:

import unicorn

def emulate_murmurhash2(data, seed=32):
    code = "\x56\x57\x8B\xF9\x8B\xD7\x8D\x4A\x01\x8A\x02\x42\x84\xC0\x75\xF9\x2B\xD1\x8B\xF2\x83\xF6\x20\x83\xFA\x04\x7C\x4D\x53\x8B\xDA\xC1\xEB\x02\x6B\xC3\xFC\x03\xD0\x0F\xB6\x4F\x03\x0F\xB6\x47\x02\xC1\xE1\x08\x0B\xC8\x69\xF6\x95\xE9\xD1\x5B\x0F\xB6\x47\x01\xC1\xE1\x08\x0B\xC8\x0F\xB6\x07\xC1\xE1\x08\x83\xC7\x04\x0B\xC8\x69\xC9\x95\xE9\xD1\x5B\x8B\xC1\xC1\xE8\x18\x33\xC1\x69\xC8\x95\xE9\xD1\x5B\x33\xF1\x83\xEB\x01\x75\xBF\x5B\x83\xEA\x01\x74\x1C\x83\xEA\x01\x74\x0E\x83\xEA\x01\x75\x1D\x0F\xB6\x47\x02\xC1\xE0\x10\x33\xF0\x0F\xB6\x47\x01\xC1\xE0\x08\x33\xF0\x0F\xB6\x07\x33\xC6\x69\xF0\x95\xE9\xD1\x5B\x8B\xC6\xC1\xE8\x0D\x33\xC6\x69\xC8\x95\xE9\xD1\x5B\x5F\x5E\x8B\xC1\xC1\xE8\x0F\x33\xC1"

    CODE_OFFSET = 0x1000000
    mu = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32)
    mu.mem_map(CODE_OFFSET, 4*1024*1024)
    mu.mem_write(CODE_OFFSET, code)

    libname = 0x7000000
    mu.mem_map(libname, 4*1024*1024)
    mu.mem_write(libname, data)
 
    stack_base = 0x00300000
    stack_size = 0x00100000

    mu.mem_map(stack_base, stack_size)
    mu.mem_write(stack_base, b"\x00" * stack_size)
 
    mu.reg_write(unicorn.x86_const.UC_X86_REG_ESP, stack_base + 0x800)
 
    mu.reg_write(unicorn.x86_const.UC_X86_REG_EBP, stack_base + 0x1000)
 
    mu.reg_write(unicorn.x86_const.UC_X86_REG_ECX, libname)

    mu.emu_start(CODE_OFFSET, CODE_OFFSET + len(code))

    result = mu.reg_read(unicorn.x86_const.UC_X86_REG_EAX)

    return result

We can now easily write a script to walk through files inside a directory where we have Windows .dlls and, for each .dll, parse its Exports and calculate its MurmurHash2 using the previous function. This could be an example of the implementation using pefile:

import pefile

def dump_hash_dlls():
    '''
    This function uses pefile to get the export names from .dlls and apply the hashing
    algorithm to them.
    '''

    dlls_dir = 'dlls/'    # Directory where we have Windows .DLL files

    for (dirpath, dirnames, filenames) in os.walk(dlls_dir):
        for filename in filenames:
            if filename.endswith('.dll'):

                pe = pefile.PE('{}'.format(dlls_dir+filename))

                for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
                    export_name = exp.name

                    if not export_name:
                        # "Ignoring export without name..."
                        continue

                    try:
                        export_hash = emulate_murmurhash2(export_name)
                    except Exception as err:
                        print('Exception occurred while emulating murmurhash2 with export_name: {}. Error: {} '.format(export_name, err))

                        continue

The results can then be saved as we prefer. In this case, we need a Python dictionary that we can use in IDA Python script when analyzing the malware. We can save the result dictionary in a .json file like the following one:

{
    "1002323769": "kernel32_MoveFileTransactedA",
    "1002333354": "ntdll_ZwSetTimer",
    "1003390208": "ntdll_memmove_s",
    "1003407985": "advapi32_LsaDelete",
    "1004879971": "ntdll_NtReadOnlyEnlistment",
    "100560003": "kernel32_GetThreadId",
    "1006629348": "kernel32_ReadConsoleOutputW",
    "1007338292": "kernel32_GetProcessPreferredUILanguages",
    "1007695856": "user32_GetClassInfoExW",
    "1008342899": "shell32_SHCreateStdEnumFmtEtc",
    "1008627276": "advapi32_QueryTraceW",
    "1008723271": "ntdll_NtDisableLastKnownGood",
    "1009340263": "advapi32_RegSaveKeyW",
    "1009496315": "kernel32_FlushViewOfFile",
    "1009939290": "shlwapi_PathFindSuffixArrayW",
    "101018728": "ntdll_ZwOpenTransactionManager",
    "1010305366": "user32_SetWindowLongA",
    "1010398495": "shlwapi_PathUnExpandEnvStringsW",
    "101074275": "kernel32_EnumDateFormatsExW",
    "1011639982": "user32_AppendMenuA",
    "1012134009": "user32_CharToOemBuffW",
    "1012436811": "ntdll_NtCreateNamedPipeFile",
    "1013083577": "shell32_ShellExec_RunDLL",
    "1014808818": "ntdll_NtUnmapViewOfSection",
    "1016118817": "ntdll_NtQueryInformationThread",
    "1017169715": "shell32_ILCloneFirst",
    "1017424400": "user32_ReleaseCapture",
(…)

Resolving obfuscated Windows API calls

Now that we have all the possible exports that the malware may use, it is time to create an IDA Python script to help us reverse engineer LummaC2.

This script is going to be divided in 2 parts. From one side, we are going to resolve every Windows API call (checking the hash set in ECX against our big dictionary) and create an IDA comment staying the final Windows API call being made. In the end, we will execute another script while debugging LummaC2 to patch all these calls.

This will help us to easily understand how the malware operates and its capabilities to ease reverse engineering without the need of debugging and executing every possible path the malware can take.

The first thing to do is to place our .json file (the one with the big Python dictionary storing all the Windows API calls and respective hashes) in our analysis VMs where IDA Python script is going to be executed. Then the script must be able to read and save its contents for further analysis:

import json

hashes_dict = {}

def setup(hashes_dict_file):
    global hashes_dict

    try:
        with open(hashes_dict_file, 'rb') as fd:
            hashes_dict = json.load(fd)
    except Exception as err:
        print('Error while readning hashes dict. file: {}'.format(err))

Now that we have our dictionary ready. Let’s examine the different patterns that are used when resolving a Windows API call. We know that ECX register must have the hash, but this can be achieved in the code through different ways:

As we can see, in the end ECX always contains the hash to be resolved. However, the instruction that sets the specified hash can move it into a different register before being in ECX. The last two patterns use EDI and ESI registers respectively.

With this information, we should be able to go through all cross references to the call “ResolveApiByHash”, retrieve the hash being used and resolve the Windows API call using our big hash dictionary. The following Python function implements this. It only expects to receive the address of the call “ResolveApiByHash” as its only argument.

import idautils
import idc

def resolve_all_APIs(resolve_ea):

    patches = []

    total_apis_found = 0
    total_apis_resolved = 0

    global hashes_dict

    if resolve_ea is None:
        print('[!] Resolve failed.')
        return

    for ref in idautils.CodeRefsTo(resolve_ea, 1):

        total_apis_found += 1

        curr_ea = ref

        API_hash = 0

        for _ in range(30): # Search maximum the last 30 instructions before the call to ResolveApiByHash

            prev_instruction_ea = idc.PrevHead(curr_ea)
            instruction = idc.GetDisasm(prev_instruction_ea)

            # Possible scenarios
            '''
            .text:0040214B B9 73 10 FF E8                          mov     ecx, 0E8FF1073h
            .text:00402150 E8 7E 61 00 00                          call    ResolveApiByHashWrapper

            or

            .text:004074F6 BF 29 A1 D3 5F                          mov     edi, 5FD3A129h
            .text:004074FB BA C8 4B 42 00                          mov     edx, offset aWininet_dll ; "wininet.dll"
            .text:00407500 8B CF                                           mov     ecx, edi
            .text:00407502 E8 CC 0D 00 00                          call    ResolveApiByHashWrapper

            or

            .text:00407D8C BE 30 E2 95 3D                          mov     esi, 3D95E230h
            .text:00407D91 8B D3                                          mov     edx, ebx
            .text:00407D93 6A 00                                          push    0
            .text:00407D95 8B CE                                          mov     ecx, esi
            .text:00407D97 E8 37 05 00 00                          call    ResolveApiByHashWrapper
            '''

            instruction_cut = instruction.replace(' ', '')

            if 'movecx' in instruction_cut or 'movedi' in instruction_cut or 'movesi' in instruction_cut:

                API_hash = idc.GetOperandValue(prev_instruction_ea, 1)

                if API_hash < 0x10:
                    # Avoid intermediate movs, when the target is in edi (e.g mov ecx, edi)
                    curr_ea = prev_instruction_ea
                    continue

                API_hash_idx = str(API_hash)

                if API_hash_idx in hashes_dict:

                    print('API hash: {} {} {}'.format(hex(prev_instruction_ea), hex(API_hash), hashes_dict[API_hash_idx]))

                    apicall = hashes_dict[API_hash_idx].split('_')[-1] # "kernel32_AddAtomA" -> "AddAtomA"
                    idc.MakeComm(ref, apicall)

                    patch_info = (ref, hashes_dict[API_hash_idx])
                    patches.append(patch_info)

                    total_apis_resolved += 1

                else:

                    print("Hash not found!")

                break

            curr_ea = prev_instruction_ea

    print('Total APIs found: {} Total APIs resolved: {}'.format(total_apis_found, total_apis_resolved))

    return patches


setup("c:\murmurhash2_hashes_dict.json") # Big Python dict. With hashes and export names
patches = resolve_all_APIs(0x004082D3) # Use address of “ResolveApiByHash”

The return value is a list of tuples (addr, apicall) that we will use later to patch the binary. After executing the script, we can see how now we have comments for every Windows API call resolution and have a better understanding of what the malware can do. We can also use xref view to quickly see all the Windows API calls (with their resolved name as a comment) the malware can use.

Patching the binary and removing obfuscation

The last part of this script would allow us to patch the binary to remove all of LummaC2 Windows API call obfuscation. This way we can focus only in the relevant instructions and help IDA decompiler to easily recognize the arguments that are being passed to these functions.

With the current implementation, we can easily see which Windows API calls are being used (as we have comments in every call that resolves a function). However, we still have many unnecessary instructions in the code, and the call is still being done with the instruction “call eax”, which does not help us much with analysis, cross-referencing, etc.

The goal of the following Python function for IDA is to patch the “call ResolveApiByHash” for the real Windows API call that is going to be called after resolution. From the previous script, we have a list of tuples. Each element of the tuple consists of an address (where the call resolution is made) and the Windows API call that is going to be called.

def patch_apicall_wrapper(patches):

    total_apis_patched = 0

    for item in patches:

        # item : (addr, apicall) (e.g (0xCAFEBABE, "kernel32_AddAtomA"))
        try:

            addr = item[0]
            apicall = item[1]

            success_patch = patch_apicall(addr, apicall)

            if success_patch:
                total_apis_patched += 1

        except Exception as err:
            print('Error patching call: {}'.format(err))

    print('Total APIs patched: {}'.format(total_apis_patched))

The function “patch_apicall” is going to be the responsible for retrieving the address of a Windows API call and patching the “call ResolveApiByHash” for the call to the expected export.

One drawback that we may find, is that we cannot resolve the address of an export from a Windows .dll that has not been loaded in the address space from the debugged process yet. To overcome this issue, we can make use of IDA “Appcall” feature. With Appcall we can execute LoadLibraryA to load any missing .dll so that we can resolve all exports just from the Entry Point. (Otherwise, we would have to wait until the malware loads the library for the first time; which would not allow us to automate everything from the Entry Point as we are doing now).

Once we have the address, we need to get the relative offset and then we can use 0xE8 opcode with this relative offset to patch the call “ResolveApiByHash”. Finally, we append two nop instructions after to overwrite the proceeding “call eax”.

def patch_apicall(addr, apicall):
    '''
    If it cannot be resolved, it is possible that the malware has not loaded the library yet (for example, wininet.dll). In this case, we can force the load of the module using AppCall:

    loadlib = Appcall.proto("kernel32_LoadLibraryA", "int __stdcall loadlib(const char *fn);")
    hmod = loadlib("wininet.dll")
    '''

    loadlib = Appcall.proto("kernel32_LoadLibraryA", "int __stdcall loadlib(const char *fn);")

    print('apicall: {}'.format(apicall))
    apiaddr = idc.LocByName(apicall)
    if apiaddr == 0xFFFFFFFF:
        hmod = loadlib('{}.dll'.format(apicall.split('_')[0]))
        apiaddr = idc.LocByName(apicall)
        if apiaddr == 0xFFFFFFFF:
            return False

    # At this point, apiaddr has the address of the Api call that we want. (e.g 0x772AB880 for wininet_InternetOpenA)

    rel_offset = (apiaddr - addr - 5) & 0xFFFFFFFF

    idc.PatchDword(addr+1, rel_offset) # Patch “call ResolveApiByHash”  -> “call InternetOpenA”

    idc.PatchByte(addr+5, 0x90) # patch with nop
    idc.PatchByte(addr+6, 0x90) # patch with nop

    return

setup("c:\murmurhash2_hashes_dict.json") # Big Python dict. With hashes and export names
patches = resolve_all_APIs(0x004082D3) # Use address of “ResolveApiByHash”
patch_apicall_wrapper(patches) # Patch the binary

With this implementation, we have now patched all the calls to the real exports that the malware wants to use. However, IDA has now trouble identifying and displaying properly the arguments of the functions in the decompiler view. An example of this can be seen in the following picture:

The last thing to do here is to remove the instructions related with the Windows API call resolution (registry operations used to move the .dll string and the hash). This way the decompiler will show the arguments and everything as expected, while the code will look clean and show only the necessary instructions. This would be the final implementation of the previous “patch_apicall” function:

def patch_apicall(addr, apicall):
    '''
    If it cannot be resolved, it is possible that the malware has not loaded the library yet (for example, wininet.dll). In this case, we can force the load of the module using AppCall:

    loadlib = Appcall.proto("kernel32_LoadLibraryA", "int __stdcall loadlib(const char *fn);")
    hmod = loadlib("wininet.dll")
    '''

    loadlib = Appcall.proto("kernel32_LoadLibraryA", "int __stdcall loadlib(const char *fn);")

    print('apicall: {}'.format(apicall))
    apiaddr = idc.LocByName(apicall)
    if apiaddr == 0xFFFFFFFF:
        hmod = loadlib('{}.dll'.format(apicall.split('_')[0]))
        apiaddr = idc.LocByName(apicall)
        if apiaddr == 0xFFFFFFFF:
            return False

    # At this point, apiaddr has the address of the Api call that we want. (e.g 0x772AB880 for wininet_InternetOpenA)

    rel_offset = (apiaddr - addr - 5) & 0xFFFFFFFF

    idc.PatchDword(addr+1, rel_offset) # Patch “call ResolveApiByHash”  -> “call InternetOpenA”

    idc.PatchByte(addr+5, 0x90) # patch with nop
    idc.PatchByte(addr+6, 0x90) # patch with nop
 
    curr_ea = addr

    for _ in range(20): # Search maximum the last 20 instructions before the call to ResolveApiByHash

        prev_instruction_ea = idc.PrevHead(curr_ea)
        instruction = idc.GetDisasm(prev_instruction_ea)

        instruction_cut = instruction.replace(' ', '')
        if 'movecx' in instruction_cut or \
            'movedx' in instruction_cut:

            operand_type = idc.GetOpType(prev_instruction_ea, 1)
            param = idc.GetOperandValue(prev_instruction_ea, 1)

            # Only allow for:
            # 1- General Register
            # 2- Direct Memory reference (DATA)
            # 5- Immediate Value

            if operand_type not in [1, 2, 5]:
                curr_ea = prev_instruction_ea
                continue

            if param < 0x10:

                if not 'eax' in instruction_cut: # Avoid patching result from previous calls

                    # This means the operand is a register (1-byte mov operation e.g 8B CE  mov     ecx, esi)
                    # NOP the instruction
                    PatchNops(prev_instruction_ea, 2)


            else:
                # This means the operand is 4-byte length (e.g B9 D6 3F B0 78  mov     ecx, 78B03FD6h)
                PatchNops(prev_instruction_ea, 5)

        curr_ea = prev_instruction_ea


    return True

def PatchNops(addr, size):
    for i in range(size):

        print("Patching NOP at addr: {}".format(hex(addr+i)))

        idc.PatchByte(addr+i, 0x90) #patch with nop


setup("c:\murmurhash2_hashes_dict.json") # Big Python dict. With hashes and export names
patches = resolve_all_APIs(0x004082D3) # Use address of “ResolveApiByHash”
patch_apicall_wrapper(patches) # Patch the binary

With this in place, we can execute the script in a debugging session on Entry Point and remove most of the code related to Windows API call obfuscation while patching the binary to get an equivalent working sample easier to analyze and reverse engineer.

The following figure shows the result of patching the binary with our script:

As we can see, we only have relevant instructions in our disassembly (nop instructions have patched out Windows API call obfuscation scheme). And, as a result, it is easy for IDA decompiler now to understand and properly display the arguments for our Windows API calls in the first attempt:

Here we have the main networking exfiltration routine before applying any of our scripts and after patching the binary. As we can see, the result is a much clear and easy to understand routine:

Strings Obfuscation

LummaC2 “obfuscates” most of the strings used in the malware in order to evade detection. By stripping every occurrence of “edx765” from a given string, we can easily get the original one. Most of these strings are used to walk through sensitive files inside directories.

As it can be seen, the obfuscation method is very simple and for this reason, it is probable that we see changes in this implementation in future versions of the malware.

LummaC2 Workflow

The following diagram shows LummaC2 main workflow. This malware goes straight to the point and only cares about exfiltrating stolen information. No persistence mechanisms are used and there is no control on how many malware instances can run at the same time. One difference regarding many information stealers is that this malware family does not care about the machine being infected, while others avoid infecting machines coming from the Commonwealth of Independent States.

Information Gathering

LummaC2 gathers information from the victim system. This information is saved in a file named “System.txt” prior to zip compression and exfiltration. The information gathered from the infected machine includes the Username, Hardware ID, Screen Resolution and more:

This information is obtained using the following Windows API calls respectively:

• GetComputerNameA

• GetUserNameA

• GetCurrentHwProfileA

• GetSystemMetrics

• GetSystemDefaultLocaleName

• cpuid

• GetPhysicallyInstalledSystemMemory

Steal Important Files

LummaC2 will also steal files from the victim machine and save them under “Important Files/Profile”. What happens to be considered here an “important file” is actually every *.txt file under %userprofile%. This is done in a recursive call that traverses %userprofile% with a maximum recursion depth of 2 directories.

Targeted Software

After gathering information from the infected machine and stealing important files, it proceeds to steal crypto wallets for Binance, Electrum and Ethereum (in this order). Once this is finished it exfiltrates data (ZIP compressed) to the C2 and continues the stealing process.

After the first exfiltration to the Command and Control server, LummaC2 proceeds to steal relevant Browsers information like Login Data, History, cookies, etc. Affected Browsers are:

The malware also targets Crypto Wallets and two-factor authentication (2FA) browser extensions that may have been installed in the system. The following figure shows LummaC2 searching for these elements:

Network Data Exfiltration

Communication with the Command and Control server is one-way only. The malware does not expect any response from its C2. As we can see from LummaC2 workflow diagram, the malware contacts the C2 in different stealing phases. After each phase, stolen information is sent to the C2 ZIP compressed.

LummaC2 exfiltrates stolen information via HTTP POST request. These requests are made to the resource “/c2sock” and use multipart/form-data (combines one or more sets of data into a single body, separated by boundaries) to upload a compressed ZIP file containing the stolen information along with more information (like the hardware id, obtained previously with GetCurrentHwProfileA). The following figure shows the different set of data sent to the C2:

First field (highlighted one) is the filed with name “file”. This includes the ZIP compressed file with sensitive information being exfiltrated.

The next field with name “hwid” contains the Hardware Id previously retrieved using GetCurrentHwProfileA

The field with name “pid” can be understood as “petition Id”. It is the number of the exfiltration attempt. As we saw earlier in the workflow diagram, LummaC2 can exfiltrate up to 3 different times after each stealing phase. From the analyzed sample, we can only expect to see values 1, 2 or 3, which means that if we detect LummaC2 networking activity with different “petition Id” we will be dealing with a newer/updated version of the malware.

Finally, the last field with name “lid” comes with the hardcoded value “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”. This is known as the “Lumma ID” and it can be understood as an identifier of the malware that may refer to the build or campaign id. This field is also used when gathering system information (in the creation of “System.txt” file being exfiltrated).

Network data being transmitted to the C2 can be recognized in the following figure, where an excerpt of the first HTTP POST exfiltration request (request with “pid” equals 1) using multipart/form-data is sending a ZIP compressed file:

MITRE ATT&CK

Conclusion

As it has been shown, LummaC2 behaves similar to other information stealers. By capturing sensitive data from infected machines, including business credentials, it can do a lot of damage. For example, compromised credentials can be used to achieve privilege escalation and lateral movement. Compromised business accounts can also be used to and further distribute the malware.

The fact the malware is being actively used in the wild indicates the professionalization in the development of these products. Bad actors are willing to pay for these tools because they prefer quality, and more features. In return, they expect to see more profit from the exfiltrated data.

IOCs

Hash

LummaC2 sample:

• 277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf

C2

LummaC2 Command and Control server:

• 195[.]123[.]226[.]91

References

“LummaC2 Stealer: A Potent Threat to Crypto Users”, January, 2023. [Online]. Available: https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ [Accessed March 20, 2023]

“Popularity spikes for information stealer malware on the dark web”, December, 2022. [Online]. Available: https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web [Accessed March 20, 2023]