Cybersecurity researchers have documented the resurgence of the LUMMAC.V2 malware, a reengineered variant of the LUMMAC credential stealer, now reconstructed in C++ and enhanced with binary morphing capabilities.
LUMMAC.V2, also known as Lumma, Lummac2, or Lummastealer, has become a formidable infostealer targeting a broad spectrum of applications, including browsers, cryptocurrency wallets, password managers, remote desktop clients, email, and messaging platforms.
Its updated attack chain exploits user interactions through a social engineering vector known as the “ClickFix” technique, which manipulates unsuspecting victims into executing malicious system commands.
Infection Chain: Exploiting User Trust Through ClickFix
The infection process typically begins with an internet search, particularly for cracked software, trending media, or popular downloads, which leads users to malicious links disguised in search results.
These links redirect victims to counterfeit CAPTCHA pages that ostensibly verify human presence but covertly drive the attack.
Users are instructed to open the Windows Run dialog (Win+R), paste a clipboard-copied command (via CTRL+V), and press Enter – unknowingly launching a concealed PowerShell payload.
The PowerShell command, run in the background, fetches and executes further malicious scripts from remote servers.
Specifically, it downloads an additional script (for example, pnk3.txt), which in turn retrieves a ZIP archive containing the final payload.
According to Google Report, these payloads are extracted and deployed to custom directories within the user’s AppData folder, with persistence ensured through registry modifications.
The primary malicious binary, often named “Perspective.exe,” is executed and set to run on system startup, thereby establishing a foothold for further malicious activity.
Variations in Payload Delivery
LUMMAC.V2 demonstrates versatility in its deployment strategies:
- DLL Hijacking: Attackers leverage legitimate executables vulnerable to DLL search order hijacking by packaging malicious DLLs alongside benign installers. When the installer is run, the malicious DLL is preferentially loaded, activating the infostealer.
- Process Hollowing: Malicious loaders drop executables that spawn legitimate processes (e.g., BitlockerToGo.exe), into which malicious code is injected. The hijacked process then acts as a host for LUMMAC.V2, obfuscating its presence.
- AutoIt-based Droppers: Attackers deploy memory-resident droppers via NSIS packages. These droppers utilize heavily obfuscated batch scripts and AutoIt binaries to evade detection, perform anti-analysis routines, and ultimately decrypt and execute the infostealer in memory.
Each method employs sophisticated evasion techniques, such as sandbox and antivirus detection, anti-debugging checks, and simulated network activity, terminating execution when analysis is suspected.
Upon successful deployment, LUMMAC.V2 establishes encrypted TLS v1.2 channels with command-and-control (C2) servers, frequently shielded by Cloudflare reverse proxies to anonymize infrastructure and resist takedowns.
The malware initiates with a heartbeat signal (“act=life”) and, upon C2 acknowledgement, receives an encrypted configuration payload dictating targeted applications, file locations, and data extraction criteria.
LUMMAC.V2 systematically stages sensitive data from browsers, crypto wallets, password managers, desktop files, and a wide array of application-specific paths.
Collected data is archived and exfiltrated via HTTP POST requests, tagged with unique hardware and bot identifiers (HWID, PID, LID).
The infostealer confirms successful transmission and remains capable of receiving additional commands or malicious modules, ensuring continued adversary control.
LUMMAC.V2’s extensive targeting list includes leading browser extensions, cryptocurrency wallet files, and credentials from a vast matrix of productivity and communication tools.
Its blend of social engineering, varied delivery mechanisms, and robust evasion tactics render it a sophisticated and persistent threat within the modern threat landscape.
Organizations and individuals are urged to exercise caution when interacting with unexpected verification prompts and to maintain vigilant endpoint security protocols to mitigate such attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
