Researchers identified a LummaC2 stealer malware attack in August 2024 involving a drive-by download of a malicious ZIP archive containing an MSI file, which communicated with a C2 server to obtain a password for extracting a malicious DLL from a RAR archive.
The malicious DLL, “rnp.dll,” was disguised as a legitimate executable associated with the RNP library, a cryptographic tool commonly used by Thunderbird, by leveraging the trust associated with the legitimate RNP executable to execute malicious code on the compromised system.
The malicious “rnp.dll” payload was executed through a DLL side-loading technique, leveraging the legitimate “TroxApp” executable located in the AppData folder, which retrieved the LummaC2 stealer malware and a PowerShell command encoded in base64.
A PowerShell command downloaded the next-stage payload, “02074.bs64,” from a C2 server and decrypted it using two rounds of XOR operations, demonstrating the attackers’ efforts to evade detection and execute malicious code on the compromised system.
The malicious Chrome extension “Save to Google Drive” is installed upon execution of a PowerShell script, which is designed to steal financial information from Facebook, Coinbase, and Google Pay accounts.
It can retrieve account balances, generate withdrawal addresses, and potentially initiate cryptocurrency withdrawals. The extension communicates with a server using JSON data that contains transaction-specific details such as amounts, account identifiers, and other relevant information.
The malicious Chrome extension acts as a data siphon, gathering details about the device’s hardware, system data, installed extensions, browser user agent, and all cookies. It then generates a unique identifier for the machine, which is transmitted to the attacker’s C2 server.
While the extension manipulates browser behavior through the “getInjections” function, which opens near-invisible pop-up windows that load URLs received from the C2 server.
It monitors these pop-ups for content related to specific payment or account login pages, potentially indicating valuable targets for the attackers.
The malicious browser extension injects itself into popular email platforms and manipulates web content based on instructions stored locally, which allows it to potentially intercept or change user interactions within emails, such as capturing keystrokes or altering displayed content.
By targeting platforms like Outlook, Gmail, and Yahoo Mail, the extension can specifically target two-factor authentication codes displayed in emails, potentially compromising these security measures.
According to eSentire, the malware leveraged a Chrome extension, “CursedChrome,” to compromise infected browsers and convert them into HTTP proxies. The malicious extension captured screenshots of the user’s browsing activity and sent them to a C2 server.
The C2 server addresses were extracted from a blockchain and mempool URL, indicating a potential connection to cryptocurrency-related activities, which demonstrated the use of DLL side-loading and a malicious Chrome extension to manipulate browser behavior and steal sensitive user data.