Advanced Geometry-Based Anti-Sandbox Method Employed by LummaC2 Malware

Photo of author

By Muhammad Hussain

The stealer malware known as LummaC2 (also known as Lumma Stealer) presently includes another enemy of the sandbox procedure that uses the numerical rule of trigonometry to sidestep discovery and exfiltrate significant data from infected hosts.

The strategy is intended to “delay detonation of the sample until human mouse activity is detected,” Outpost24 security scientist Alberto Marín said in a specialized report imparted to The Hacker News.

Noted in the C programming language, LummaC2 has been sold in underground discussions since December 2022. The malware has since gotten iterative updates that make it harder to break down through control stream straightening and even permit it to convey extra shipments.

The ongoing variant of LummaC2 (v4.0) likewise requires its clients to utilize a crypter as an additional disguising system, also to keep it from being spilled in its crude structure.

One more important update is the dependence on trigonometry to identify human conduct on the penetrated termination point.

“This technique takes into consideration different positions of the cursor in a short interval to detect human activity, effectively preventing detonation in most analysis systems that do not emulate mouse movements realistically,” Quoted Martin.

To do thusly, it removes the continuous cursor spot for different times after a predefined rest time period of milliseconds and checks if each position isn’t exactly equivalent to its past one. The cooperation is reiterated perpetually until all consecutive cursor positions fluctuate.

When the five cursor spots meet the necessities, LummaC2 considers them geometrician aims and works out the point that is framed between two continuous directions.

“If all the calculated angles are lower than 45º, then LummaC2 v4.0 considers it has detected ‘human’ mouse behavior and continues with its execution,” Marín said.

“However, if any of the calculated angles are bigger than 45º, the malware will start the process all over again by ensuring there is mouse movement in a 300-millisecond period and capturing again 5 new cursor positions to process.”

Improvement comes in the midst of the rise of new types of data thieves and RATs (remote access trojans) like Epsilon Stealer, Trap Stealer, BbyStealer, and Predator artificial intelligence. that are intended to remove much delicate information from compromised frameworks.

Predator artificial intelligence, an effectively kept-up project, is likewise remarkable for the way that it tends to be utilized to go after numerous famous cloud administrations like Twilio, PayPal, AWS, and Razorpay, as well as consolidating a ChatGPT Programming interface to “develop the device more straightforward to utilize,” SentinelOne quoted recently.

“The malware-as-a-service (MaaS) model, and its readily available scheme, remains to be the preferred method for emerging threat actors to carry out complex and lucrative cyberattacks,” Marín quoted.

“Information theft is a significant focus within the realm of MaaS, [and] represents a considerable threat that can lead to substantial financial losses for both organizations and individuals.”

For more cyber security-related information, visit Daily Digital Grind