LummaC2 uses trigonometry to detect sandboxes

[Lord777]

The LummaC2 malware (also known as Lumma Stealer), which steals user data, has acquired new interesting features: to avoid the sandbox and extract confidential information from the host, the malware uses trigonometry.

According to researchers from Outpost24, the described method helps operators to freeze the activation of the malware until mouse activity is detected.

LummaC2, written in C, is being sold on cybercriminal forums from December 2022. The authors of the Trojan periodically expand its functionality. Developers pay special attention to antianalysis methods.

The current version of LummaC2, now numbered v4. 0, requires operators to use a cryptor as an additional concealment measure. This helps fight malware code leaks.

In addition, the new sample demonstrated the use of trigonometry to detect human activity on the attacked host.

"The new technique used by the malware relies on the position of the mouse cursor, which is calculated in a short period of time — this helps to detect human activity. Thanks to this approach, the malware does not activate its functions when working in an analysis environment, which, as a rule, does not very realistically emulate mouse movements," experts explain.

To do this, LummaC2 takes an interval of 300 milliseconds and checks the cursor position with this frequency. This process will be repeated until the five consecutive cursor positions (P0, P1, P2, P3, and P4) do not differ.

The malware treats cursor positions as vectors, calculating the angle that is obtained between two consecutive vectors (P01-P12, P12-P23, and P23-P34).

"If all calculated angles are below 45 degrees, LummaC2 v4. 0 makes sure that a person is moving the mouse. After that, malicious functions are activated," the experts conclude.

 

[Lord777]

The development of the Lumma stealer (aka LummaC2) advertises a new feature that supposedly allows you to restore outdated Google cookies, which can then be used to hack victims accounts.

Session cookies usually have a limited validity period for security reasons to prevent possible abuse if they are stolen. The fact is that these cookies can allow anyone else to log in to the account of the user to whom they belong.

In fact, restoring such cookies allows Lumma operators to gain unauthorized access to any Google account, even after the real user has logged out of the account and their session has expired.

The first ad for this feature, which appeared on the hack forum, was noticed by an information security researcher from Hudson Rock, Alon Gal. On November 14, Lumma developers announced that they have released an update that allows "restoring' dead ' cookies using keys from Restore files (applicable only to Google cookies)."

The message specifies that the same key can only be used twice, so cookies can only be restored once.

The new feature is available only for subscribers of the "Corporate" tariff plan, which costs $ 1,000 per month.

The Bleeping Computer publication draws attention to the fact that the statements of the Lumma developers have not yet been confirmed or refuted by information security specialists or Google representatives, so the question of whether this function works as stated remains open.

However, journalists note that recently the creators of another stealer, Rhadamanthys, also said that they added similar functionality in the latest update. This increases the likelihood that malware developers have actually discovered and are exploiting a problem.

Representatives of Bleeping Computer repeatedly tried to contact Google specialists with a request to comment on the hackers statements and the theoretical vulnerability associated with session cookies, but did not receive a response.

Interestingly, a few days after the publication contacted Google, the developers of Lumma released an update in which they stated that it bypasses some recently introduced Google restrictions that prevent cookie recovery.

The journalists also tried to find out from the hackers themselves exactly how this function works and what vulnerabilities it uses. Representatives of the group refused to answer these questions, but said that their competitors, the creators of Rhadamantis, simply copied this function from the Lumma stealer.

Journalists summarize that if stealers really learned how to restore outdated Google cookies, as stated in the ad, then users will not be able to do anything to protect their accounts, only to prevent their systems from being infected with malware that steals these very cookies.