Cyble Research and Intelligence Labs (CRIL) detected an information stealer that uses Chromium and Mozilla-based browsers to steal crypto wallet data, extensions, and two-factor authentication (2FA).
During a threat-hunting exercise, the researchers found the information via a post on the dark web and a website that sold the LummaC2 Stealer for $20,000 as the “source” plan.
Published on 27 December 2022, the post boasted of LummaC2 Stealer’s capability to steal 60 cryptocurrencies and stated that the stealer, developed in C language, had a low-level wrapper written in ASM.
The post also claimed that the C-based stealer helped in morphing the stealer and updates every two hours while working through low-level system calls.
Moreover, the website selling the crypto wallet stealer linked to the post was in the Russian language. They also had two Telegram channels for the stealer as shown below:
LummaC2 Stealer was sold in several schemes and packages that offered varying features, offered for a minimum of $250 dollars to experienced users that offered buyers to view and upload logs with log analysis tools.
For a professional package, it charged $500. $1000 was charged for corporate users, and the plan for ‘source’ was charged $20,000 with all the benefits, including the right to sell.
Details about LummaC2 Stealer
- IP addresses of the servers – 195.123.226.91 and 144.76.173.247 based in Bulgaria and Germany, respectively.
- It had two active command and control servers.
- sha256 d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264.
- The 32-bit GUI-type executable can steal information from the following browsers:
- Chrome
- Chromium
- Mozilla firefox
- Edge
- Opera stable
- Kometa
- Vivaldi
- GX stable
- Brave
- Opera neon
The stealing chain of LummaC2 Stealer
According to CRIL, the stealer, when executed, moves the obfuscated string to a function that removes the ransom string and offers the original one.
This helps the LummaC2 Stealer to evade detection using the obfuscated strings covered by random string, edx765. Moving forward, the stealer resolves the APIs and copies system information, and stores it in the memory with the name system.txt. The stolen information includes:
- LummaC2 build
- Lumma ID
- Screen resolution
- Hardware ID
- CPU name
- Physical memory
- System language
Following the information stealing activity, LummaC2 Stealer collects the %userProfile% directory information from the virtual machine and stores it in the memory as ‘Important Files/Profile.’ It uses the following code to access crypto wallet information:
All the stolen information gets sent to LumenC2 Stealers command and control server as shown below:
Upon sending the crypto wallet data to the command-and-control server, the information stealer crawls through the browser to continue stealing as much sensitive data as possible. It looks for the following browser data:
- History
- Login credentials
- Network cookies
- Web data
While in the browser, the malware also searches if the data related to two-factor authentication (2FA) extensions are available on it. It then sends all the stolen information to its command-and-control server.
Cyble researchers told The Cyber Express that they must conduct regular backup practices and store the information either offline or on another network. They also reiterated the importance of not opening emails that seem suspicious, which is the route to the target’s system.
