Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label security research.. Show all posts

LummaC2 Malware Introduces Innovative Anti-Sandbox Technique Utilizing Trigonometry

 

The LummaC2 malware, also known as Lumma Stealer, has introduced a novel anti-sandbox technique that utilizes trigonometry to avoid detection and steal valuable information from infected hosts. Outpost24 security researcher Alberto Marín highlighted this method, stating that it aims to delay the activation of the malware until human mouse activity is identified.

Originally written in the C programming language, LummaC2 has been available on underground forums since December 2022. Subsequent updates have made it more resistant to analysis through techniques like control flow flattening, and it now has the capability to deliver additional payloads.

In its current iteration (v4.0), LummaC2 mandates the use of a crypter by its customers to enhance concealment and prevent the leakage of its raw form.

A significant enhancement involves the utilization of trigonometry to identify human behavior on the compromised endpoint. Marín explained that this technique observes various cursor positions within a short time frame to effectively detect human activity, thereby thwarting detonation in analysis systems that lack realistic mouse movement emulation.

To achieve this, LummaC2 captures the cursor position five times after a predefined sleep interval of 50 milliseconds. It then checks if each captured position differs from its predecessor, repeating the process until all consecutive cursor positions differ. Once these positions meet the requirements, LummaC2 treats them as Euclidean vectors, calculating the angles formed between two consecutive vectors. If all calculated angles are below 45º, LummaC2 v4.0 perceives it as 'human' mouse behavior and proceeds with execution. If any angle exceeds 45º, the malware restarts the process by ensuring mouse movement in a 300-millisecond period and capturing five new cursor positions.

This development coincides with the emergence of new information stealers and remote access trojans like BbyStealer, Trap Stealer, Predator AI, Epsilon Stealer, Nova Sentinel, and Sayler RAT, designed to extract sensitive data from compromised systems.

Predator AI, a actively maintained project, stands out for its capability to attack popular cloud services like AWS, PayPal, Razorpay, and Twilio. It has also incorporated a ChatGPT API for user convenience, as noted by SentinelOne earlier this month.

Marín emphasized that the malware-as-a-service (MaaS) model remains the preferred method for emerging threat actors to conduct complex and lucrative cyberattacks. Information theft, particularly within the realm of MaaS, poses a significant threat, leading to substantial financial losses for both organizations and individuals.