LummaC2, a notorious stealer malware, also known as Lumma Stealer, has introduced a novel anti-sandbox technique that employs trigonometry, a mathematical principle, to elude detection and extract critical information from compromised hosts.
According to Outpost24 security researcher Alberto Marín, this technique is devised to “delay detonation of the sample until human mouse activity is detected,” as outlined in a technical report.
Initially coded in the C programming language, LummaC2 has been available on underground forums since December 2022. Over time, it has undergone iterative updates, incorporating features such as control flow flattening to impede analysis and the capability to deliver supplementary payloads.
In its latest version, LummaC2 (v4.0) mandates customers to use a crypter as an additional concealment measure, preventing the malware from being leaked in its raw form.
A significant enhancement involves the utilization of trigonometry to discern human behavior on the compromised endpoint. Marín explains, “This approach considers various cursor positions within a brief timeframe to identify human activity, effectively thwarting activation in analysis systems that lack realistic emulation of mouse movements.”
To achieve this, LummaC2 captures the current cursor position five times after a predefined sleep interval of 50 milliseconds. The process continues indefinitely until all consecutive cursor positions differ. LummaC2 regards these positions as Euclidean vectors and computes the angles that arise between successive vectors. If all calculated angles are below 45º, LummaC2 v4.0 perceives it as ‘human’ mouse behavior and proceeds with its execution. However, if any angle exceeds 45º, the malware restarts the process, ensuring mouse movement in a 300-millisecond period and capturing five new cursor positions to analyze.
This development coincides with the emergence of new information stealers and remote access trojans, including BbyStealer, Trap Stealer, Predator AI, Epsilon Stealer, Nova Sentinel, and Sayler RAT. Predator AI, an actively maintained project, stands out for its capability to target popular cloud services like AWS, PayPal, Razorpay, and Twilio, and its integration of a ChatGPT API for enhanced usability.
Outlining the prevalent threat landscape, Marín emphasized that the malware-as-a-service (MaaS) model remains the preferred method for emerging threat actors to execute complex and lucrative cyberattacks. Information theft, a focal point within the realm of MaaS, poses a substantial threat leading to significant financial losses for both organizations and individuals.
CyberSec84 | Cybersecurity news. 
Leave a comment