A brief analysis to LummaC2 Stealer
LummaC2, first seen in 2022 is a known stealer that operates within the Malware-as-a-Service (MaaS) model and sold in underground forums through subscriptions.
The sample analyzed here is extracted from bitdefender-app[.]com, a website setup to host the malware masquerading as the legitimate Bitdefender anti-virus.
I did a quick static analysis of the PE64 file and as shown below, we can see that it is written in C/C++ and compiled using MinGW. It has also low entropy which suggests that this executable most of the code here is not obfuscated.
After running it, I immediately observed the malware performing multiple .DLL calls and queries in the system and in the registry to do basic checks such as: User account profiles, Environment Variables, Network information, Computer Name, Hardware Information, Hostname, History, Shared network resources, Safe boot configuration … and more
The malware is also seen accessing samlib.dll and samcli.dll which is a library that provides various functions to Windows Components and Services in authentication and security required in making modifications in the Windows registry.
Around 1 minute after execution, through the malicious executable it runs C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe. As mentioned in Trellix’s report, this is responsible for reading of BitLocker-Protected removable drives as well as for encrypting them.
It also reads uncommon paths “C:$Secure:$SDH:$INDEX_ALLOCATION”, “C:\$Mft”, “C:\$Extend\$UsnJrnl:$J:$DATA”. After a simple search, I found that this is a NTFS Internal Stream Name. It’s for storing internal metadata files. More info on that here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6b5e7e75-c2ad-4769-ad96-37077ee69702
I then used FakeNet and analyzed the pcap through Wireshark and the logs that came through Sysmon. It cycles through multiple domains by asking BitLockerToGo.exe to perform DNS queries.
It also generated this 2 files simultaneously, which it then executed and deleted almost instantly once done. I wasn’t able to grab this file and it’s hash so I’m not really sure what this is for.
C:\Users\Public\Libraries\opice.scif
C:\Users\Public\Libraries\bfnde.scif
After running the malware several times, I noticed that it always write these .scif files in the same path but with a different file name every time.
I saw something unusual about what it does to Time Zones so I extracted the ProcMon logs into .CSV and loaded it in ProcDot so can I get a good look on it. This is where I saw that file <registry> and sets a different value constantly.
IOCs:
hxxp://bitdefender-app[.]com
hxxp://alcojoldwograpciw[.]shop
hxxp://productivelookewr[.]shop
hxxp://tolerateilusidjukl[.]shop
hxxp://shatterbreathepsw[.]shop
hxxp://shortsvelventysjo[.]shop
hxxp://incredibleextedwj[.]shop
hxxp://liabilitynighstjsko[.]shop
hxxp://demonstationfukewko[.]shop
3669c3c9c47a5e5c59f508976a2732aa1feabfa7c90d1912032e3426c30edde5
Additional References:
https://redcanary.com/blog/incident-response/active-breach-evading-defenses/
https://www.trellix.com/blogs/research/a-catalog-of-hazardous-av-sites-a-tale-of-malware-hosting/