Researchers has come with a warning of a new version of a notorious malware-as-a-service product — one that uses an innovative anti-sandbox technique based on human behavior detection through trigonometry.
The malware is LummaC2 v4.0, an update to the well-known LummaC2 information stealer. The latest iteration of the malware marks a significant evolution in its capabilities with its anti-sandbox mechanism. The new version delays the malware’s activation until it detects genuine human mouse activity, countering analysis systems that fail to emulate realistic mouse movements. LummaC2 v4.0 uses trigonometry to discern between human and artificial mouse movements, hampering the efforts of cybersecurity researchers in analysing and mitigating such threats.
In addition to its anti-detection approach, LummaC2 v4.0 introduces several other new features that enhance its effectiveness and evasiveness. Leading the list is Control Flow Flattening Obfuscation, a default setting in the malware that disrupts the program’s natural flow to make analysis more challenging for cybersecurity experts. The obfuscation technique is crucial in concealing the malware’s true intent and complicating efforts to reverse-engineer its code.
LummaC2 v4.0 has upgraded its approach to securing sensitive strings within its code. The malware has moved away from basic modifications to using a type of encryption called XOR, ensuring that its strings remain undetected and protected from straightforward analysis methods. XOR encryption is a symmetric encryption technique that uses the XOR logical operation to combine plaintext with a key, making it a straightforward yet effective method for data obfuscation.
Another notable update in the latest version is the implementation of dynamic configuration files. The files, essential for the malware’s operation, are retrieved from the command-and-control center and, to maximize security, are encoded in Base64 and then XORed, adding a layer of complexity to the decryption.
The mandatory use of Crypter for malware builds is also being enforced. The requirement ensures that each instance of the malware is uniquely obfuscated, thereby reducing the likelihood of detection by standard antivirus and malware detection tools.
The ongoing usage of this malware in real-world scenarios indicates that it will likely continue to evolve, incorporating more advanced features and security measures in the future.