SmartWorks Network

  • Home
  • RSS Blog
  • YouTube channels
  • Podcasts
  • Jobs
  • Tools
  • About us
  • Contact

LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT

by Valentin / Saturday, 13 January 2024 / Published in RSS blog posts

Cyber Security BlogsKey Takeaways

The blog delves into a new infection approach to disseminating the SectopRAT final payload.

Providing insight into LummaC stealer and its method of procuring the Amadey bot malware.

The Amadey bot replicates itself to ensure persistence, generating an LNK file within the startup folder directory. Upon being started, this LNK file triggers the execution of the duplicated instance of the Amadey.

Execution of the Amadey bot retrieves the SectopRAT payload through downloading, subsequently running within the victim’s system.

Executive Summary

LummaC, an information stealer, is being distributed through a Malware-as-a-Service (MaaS) model on Russian-speaking forums. This malware is designed to pilfer sensitive data from infected devices. Among the data targeted are cryptocurrency wallets, browser extensions, two-factor authentication codes, and various files. The Threat Actors (TAs) accountable for this malware have consistently introduced improved iterations of LummaC. This new iteration boasts several additional features, including the ability to load other malware files (introduced in version 19.07) while the main information-stealing malware is executing on the victim’s system, as mentioned in the image below.

Figure 1 – New Loader feature of LummaC stealer mentioned in the TA’s Telegram channel

Cyble Research & Intelligence Labs (CRIL) has recently come across a novel approach for spreading SectopRAT. This technique entails delivering the SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from the LummaC stealer, as illustrated in the figure below.

Figure 2 – Infection chain

Detailed information about these techniques can be discussed in the Technical Analysis section.

Initial Infection

In most cases, the LummaC Stealer has been disseminated through phishing websites that impersonate genuine software sources, as well as via spear-phishing emails.

Historically, the LummaC stealer distributed through deceptive websites like counterfeit Microsoft Sysinternals Suite. It also aimed at YouTubers by employing spear-phishing emails and was further disseminated by masquerading as illicit software cracks.

Technical Analysis

We’ve encountered several ZIP files in the wild that seem to contain the LummaC stealer malware. It’s possible that these files are being distributed through a YouTube campaign disguised as software setup files. A few examples of these filenames include:

• Newest_Setup_123_UseAs_PassKey.zip
• Latest_Setup_Use__PassWord__224466.zip
• Latest_Setup_Use_224466_As_PassCode.zip
• Latest_Setup_Use__PassWord__224466.zip
• New_PC_Setup_PassWord_UseAs_224466.zip
• $#E-R1-Setup-Password-123.zip
• Active_Setup_113355_UseAs_PassKey.zip
• Setup_123_Passwords_Open_App.zip
• Passw0rdz_113355_Open_Setup_App.zip
• Active_Setup_With_224466_PassWord.zip

These files appear to have been deliberately named in a way that could attract users, potentially tricking them into running the contained malware. In this technical analysis, we analyzed a sample named “Active_Setup_With_224466_PassWord.zip.”

The SHA-256 hash of this ZIP archive file is 7b5500ada0bf017d0bac84b181076ebfd7220693748b9ca634f06271837edfb7.

The image below illustrates the contents of a ZIP archive featuring two directories named “Common Files” and “HMService.” These directories encompass numerous legitimate DLL files, while the ZIP archive itself contains an executable called “Setup.exe.” Importantly, the “Setup.exe” serves as a payload for the LummaC Stealer executable.

Figure 3 – Content of ZIP archive file

The LummaC Stealer file (“Setup.exe,”), which is identified by its SHA256 hash: f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144. This particular binary file is a 32-bit GUI-based .NET Reactor executable.

LummaC Stealer

LummaC Stealer is malware designed to gather sensitive information from compromised devices illicitly. This includes a variety of data, such as cryptocurrency wallets, browser extensions, two-factor authentication codes, and files. LummaC Stealer is offered as a service by its creators, available on underground forums and Telegram channels primarily used by Russian speakers since at least August 2022. The seller of this software has been actively marketing LummaC Stealer since April 2022, releasing new versions and responding to questions on underground forums, Telegram channels, and a dedicated website.

According to the information provided by TAs, LummaC2 represents a next-gen stealer with an impressive success rate. Notably, it operates effectively even on clean systems, devoid of any dependencies whatsoever. Its key features include server-based log decryption. LummaC2 specializes in pilfering data from Chromium and Mozilla-derived browsers, encompassing about 70 browser-based cryptocurrencies and 2FA extensions. The toolkit encompasses a non-resident Loader, a dynamic low-level file grabber, and the latest innovation, the BINARY MORPHER.

When the “Setup.exe” is executed, it initiates the process of injecting the malicious LummaC Stealer content into the memory of “RegAsm.exe”, as shown below.

Figure 4 – LummaC stealer process tree

 

Once successfully installed on a targeted system, LummaC Stealer orchestrates covert operations to collect important system details, such as operating system version, hardware identifiers, CPU specifications, RAM details, screen resolution, and system language. With this information, the malware extracts sensitive data from designated applications, concentrating on web browsers, cryptocurrency wallets, two-factor authentication extensions, and others.

The figure below displays memory content within RegAsm.exe, containing strings associated with the URL of the LummaC Stealer’s command-and-control server.

Figure 5 – LummaC C&C strings present in RegAsm memory

 

LummaC Stealer’s impact is significant, spanning various web browsers such as Chrome, Mozilla Firefox, Microsoft Edge, and others. Within these environments, the stealer gains access to browsing histories, internet cookies, login details, personal data, credit card information, and other valuable data.

After gathering all the sensitive information from the targeted system, the stealer encrypts the collected data and sends it to the C&C server, as depicted in the image below.

hxxp[:]//exitlife[.]xyz/c2sock

Figure 6 – LummaC C&C communication

 

CRIL has already published a comprehensive blog post offering a detailed examination of LummaC Stealer. The blog can be accessed here.

Furthermore, the LummaC Stealer retrieves the Amadey bot malware by downloading it from the following URL, as depicted in the below figure.

hxxp[:]//africatechs[.]com/Amdaygo[.]exe

Figure 7 – Presence of Amadey payload URL in LummaC memoryAmadey Bot

Amadey Bot is a type of malware that was identified in 2018. It can carry out tasks like exploring compromised systems, gathering data, and loading additional malicious payloads. During its early stages, it was disseminated through exploit kits. TAs used it to introduce different types of malware, including the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan (RAT). In 2022, associates linked to the LOCKBIT group employed the Amadey bot to distribute ransomware to their targets.

The Amadey bot, once retrieved by the LummaC Stealer, is saved and executed within the Temp directory with the below-specified filename:

C:UsersuserAppDataLocalTemphhwjilxtgukpvvhbpo.exe

The Amadey bot is a 32-bit GUI type .NET Reactor executable with sha256 d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c.

After being executed, the Amadey malware copies itself to the following location and executes it.

C:UsersuserVideosedddegyjjykj.exe

Additionally, it creates an LNK file that, when clicked, executes the dropped copy of itself “edddegyjjykj.exe” file. This LNK file is dropped into the below startup folder location to maintain persistence.

C:UsersuserAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupedddegyjjykj.lnk

During the execution, Amadey establishes communication with its C&C server, regularly transmitting system details such as OS version, architecture, username, installed antivirus software, etc. Additionally, it queries the server to receive instructions. The primary feature of Amadey is its capability to deploy other payloads to all compromised computers or selectively to those targeted by the malware.

The below figure illustrates the malware sending system information to the C&C server through the following URL:

hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php

Figure 8 – Amadey exfiltration

CRIL has previously released an extensive blog post that provides an in-depth analysis of Amadey Bot. It can be accessed here.

Moreover, the malware downloads an additional malicious payload from the following URL, as mentioned in the figure below.

hxxp[:]//patriciabono[.]com/BRR[.]exe

Figure 9 – Amadey C&C communication

 

The image below depicts the malware’s memory content, including strings related to the Amadey bot’s C&C server, as well as the URL for the SectopRAT payload.

​Read More

  • Tweet

About Valentin

What you can read next

Medium: Please remove the TypeScript code option or fix it
US retailers under attack by gift card-thieving cyber gang
Environmental Websites Hit by DDoS Surge in COP28 Crossfire

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Sniffnet: Free, open-source network monitoring
  • 90% of threats are social engineering
  • 78% of SMBs fear cyberattacks could shut down their business
  • Chinese attackers leverage previously unseen malware for espionage
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

Recent Comments

No comments to show.

Recent Posts

  • Sniffnet: Free, open-source network monitoring

    Cyber Security Blogs Sniffnet is a free, open-s...
  • 90% of threats are social engineering

    Cyber Security Blogs In this Help Net Security ...
  • 78% of SMBs fear cyberattacks could shut down their business

    Cyber Security Blogs 94% of SMBs have experienc...
  • Chinese attackers leverage previously unseen malware for espionage

    Cyber Security Blogs Sophos released its report...
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

    Cyber Security Blogs Researchers have uncovered...

Archives

  • June 2024
  • May 2024
  • March 2024
  • January 2024

Categories

  • RSS blog posts

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

    Featured Posts

    • Sniffnet: Free, open-source network monitoring

      0 comments
    • 90% of threats are social engineering

      0 comments
    • 78% of SMBs fear cyberattacks could shut down their business

      0 comments
    • Chinese attackers leverage previously unseen malware for espionage

      0 comments
    • Long-running Chinese cyberespionage operation targeted Southeast Asian government

      0 comments

    SEARCH

    RECENT POSTS

    • Sniffnet: Free, open-source network monitoring

    • 90% of threats are social engineering

    • 78% of SMBs fear cyberattacks could shut down their business

    TAG CLOUD

    ©2024 All rights Reserved @Smart Works Network

    TOP