Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
Why did hackers target a popular gaming platform?
Security researchers from AhnLab Security (ASEC) recently identified a new variant of the LummaC2 malware that uses the popular Steam gaming platform as a C2 server. The new method significantly increases the threat to users and organizations around the world.
LummaC2 is an infostiler that is actively distributed under the guise of illegal programs, such as quacks, keygens and game cheats. These malicious files are distributed through a variety of channels, including YouTube, LinkedIn, and even search engine ads using a technique known as SEO Poisoning.
Recently, LummaC2 also disguised itself as legitimate apps such as Notion, Slack, and Capcut, thus expanding its audience. According to ASEC, initially LummaC2 was distributed as a single executable file (EXE) or through the DLL Sideloading technique, where the malicious DLL was compressed together with the legitimate EXE file. This method allowed the virus to remain invisible to many security systems.
In the new version, LummaC2 uses the Steam platform to get information about C2 domains, although previously all information about the C2 infrastructure was embedded in the malware sample itself. Due to this innovation, attackers can now dynamically change C2 domains using a legitimate platform, which increases the stability of the virus and reduces the probability of its detection.
To be fair, this method is not entirely new. In fact, it repeats the strategy previously used by the Vidar virus, which also exploited various legitimate platforms such as TikTok, Mastodon, and Telegram to gain information about the C2 infrastructure.
When executed, LummaC2 decrypts its internal encrypted strings to obtain information about C2 domains. If all embedded domains are unavailable, the virus initiates the Steam connection procedure. The required URL within the game platform is stored directly in the executable code.
The recorded URL points to a specific Steam account profile page, presumably created by an attacker. The malware gets the string by analyzing the "actual_persona_name" tag on this page, which is then decrypted using the Caesar cipher to get the actual C2 domain.
Using a legitimate service, such as Steam, with its huge user base, helps reduce suspicion and allows an attacker to easily change the C2 domain if necessary. This flexibility increases the success rate of an attack and makes the virus harder for security systems to detect.
After decrypting the domain, LummaC2 connects to the C2 server and downloads an encrypted JSON settings file. This file is also decrypted, and the virus performs malicious actions based on the specified settings. The stolen information includes data about password storage programs, browsers, VPNs, FTP, and many others. It is sent to the hackers ' C2 server when the malware terminates.
To reduce the risk associated with LummaC2 and similar malware, organizations and ordinary users are advised to:
All of these measures will help you better protect yourself from the complex tactics of LummaC2 and other evolving cyber threats.
Source
Security researchers from AhnLab Security (ASEC) recently identified a new variant of the LummaC2 malware that uses the popular Steam gaming platform as a C2 server. The new method significantly increases the threat to users and organizations around the world.
LummaC2 is an infostiler that is actively distributed under the guise of illegal programs, such as quacks, keygens and game cheats. These malicious files are distributed through a variety of channels, including YouTube, LinkedIn, and even search engine ads using a technique known as SEO Poisoning.
Recently, LummaC2 also disguised itself as legitimate apps such as Notion, Slack, and Capcut, thus expanding its audience. According to ASEC, initially LummaC2 was distributed as a single executable file (EXE) or through the DLL Sideloading technique, where the malicious DLL was compressed together with the legitimate EXE file. This method allowed the virus to remain invisible to many security systems.
In the new version, LummaC2 uses the Steam platform to get information about C2 domains, although previously all information about the C2 infrastructure was embedded in the malware sample itself. Due to this innovation, attackers can now dynamically change C2 domains using a legitimate platform, which increases the stability of the virus and reduces the probability of its detection.
To be fair, this method is not entirely new. In fact, it repeats the strategy previously used by the Vidar virus, which also exploited various legitimate platforms such as TikTok, Mastodon, and Telegram to gain information about the C2 infrastructure.
When executed, LummaC2 decrypts its internal encrypted strings to obtain information about C2 domains. If all embedded domains are unavailable, the virus initiates the Steam connection procedure. The required URL within the game platform is stored directly in the executable code.
The recorded URL points to a specific Steam account profile page, presumably created by an attacker. The malware gets the string by analyzing the "actual_persona_name" tag on this page, which is then decrypted using the Caesar cipher to get the actual C2 domain.
Using a legitimate service, such as Steam, with its huge user base, helps reduce suspicion and allows an attacker to easily change the C2 domain if necessary. This flexibility increases the success rate of an attack and makes the virus harder for security systems to detect.
After decrypting the domain, LummaC2 connects to the C2 server and downloads an encrypted JSON settings file. This file is also decrypted, and the virus performs malicious actions based on the specified settings. The stolen information includes data about password storage programs, browsers, VPNs, FTP, and many others. It is sent to the hackers ' C2 server when the malware terminates.
To reduce the risk associated with LummaC2 and similar malware, organizations and ordinary users are advised to:
- Avoid downloading illegal software from untrusted sources.
- Use only reliable antivirus software.
- Regularly update the software to protect against known vulnerabilities.
- Educate users about the risks of downloading and running unknown files.
- Monitor network traffic to detect unusual patterns that may indicate a virus infection.
All of these measures will help you better protect yourself from the complex tactics of LummaC2 and other evolving cyber threats.
Source
