LummaC2 Stealer is an advanced malware designed to steal sensitive information, primarily targeting cryptocurrency wallets and two-factor authentication (2FA) extensions in multiple web browsers.
Initially discovered in late 2022, LummaC2 operates as a Malware-as-a-Service (MaaS), allowing cybercriminals to purchase and use it at varying price points.
Recently, Google and Mandiant security teams identified that LummaC2 has been actively utilizing customized control flow indirection techniques to carry out its malicious activities.
LummaC2 Stealer Exploits Customized Control Flow
In response, security analysts devised an “automated deobfuscation method” using symbolic backward slicing to overcome this obstacle. Their technique distinguishes between genuine instructions and obfuscator-injected “dispatcher instructions” within protected functions. By utilizing the Triton symbolic execution engine, researchers were able to trace backward, isolate the dispatcher instructions, and understand how indirect control transfers are calculated.
The obfuscator employs various dispatcher block types, including:
- Register-based
- Memory-based
- Mixed-order layouts
- Specialized conditional dispatchers (designed for standard logic, loops, and system call handling)
By utilizing a depth-first search (DFS) traversal algorithm and strategically managing conditional jumps, it’s feasible to reconstruct the original control flow, allowing for the deobfuscation of samples into a format that facilitates thorough static binary analysis.
This approach delivers critical insights for security teams, enhancing their ability to analyze and detect the evolving “LummaC2” threat effectively.
Additionally, the deobfuscation process reconstructs original functions by eliminating elements added by the obfuscator while preserving the program’s semantics. This involves instruction rewriting, where the deobfuscated instructions replace the protected function, beginning from its entry point.
Two types of indirect jumps are considered: unconditional dispatcher blocks and conditional dispatcher blocks. The latter necessitates identifying the original jump type (such as ‘jz,’ ‘jnz,’ or ‘jl’) based on setcc
instructions. The rebuilding process omits dispatcher instructions and any duplicates.
Next, offset relocation adjusts memory-referencing instructions (jumps and calls) to reflect new instruction locations following the removal of obfuscator code.
This technique has been applied to “LummaC2 malware,” utilizing “backward slicing” and “symbolic execution” to identify original instructions and eliminate dispatcher code.
The process ensures that the deobfuscated functions occupy less space than their obfuscated counterparts, with the leftover space filled by compiler padding (using “0xCC instructions”).
This method highlights the broader utility of “backward slicing” in reverse engineering and malware analysis.
Indicators Of Compromise (IOC)
MD5 | Associated Malware Family |
d01e27462252c573f66a14bb03c09dd2 | LUMMAC.V2 |
5099026603c86efbcf943449cd6df54a | LUMMAC.V2 |
205e45e123aea66d444feaba9a846748 | LUMMAC.V2 |