LummaC2 Stealer Exploits Custom Control Flow Indirection for Malicious Execution

LummaC2 Stealer is an advanced malware designed to steal sensitive information, primarily targeting cryptocurrency wallets and two-factor authentication (2FA) extensions in multiple web browsers.

Initially discovered in late 2022, LummaC2 operates as a Malware-as-a-Service (MaaS), allowing cybercriminals to purchase and use it at varying price points.

Recently, Google and Mandiant security teams identified that LummaC2 has been actively utilizing customized control flow indirection techniques to carry out its malicious activities.

LummaC2 Stealer Exploits Customized Control Flow

The LummaC2 (‘LUMMAC.V2’) stealer employs “customized control flow indirection” to alter its execution path, built on the foundation of traditional control flow flattening. This method effectively hinders binary analysis tools like IDA Pro and Ghidra, making reverse engineering and automated detection much more difficult.

In response, security analysts devised an “automated deobfuscation method” using symbolic backward slicing to overcome this obstacle. Their technique distinguishes between genuine instructions and obfuscator-injected “dispatcher instructions” within protected functions. By utilizing the Triton symbolic execution engine, researchers were able to trace backward, isolate the dispatcher instructions, and understand how indirect control transfers are calculated.

Source – Google

The obfuscator employs various dispatcher block types, including:

  • Register-based
  • Memory-based
  • Mixed-order layouts
  • Specialized conditional dispatchers (designed for standard logic, loops, and system call handling)
Source – Google

By utilizing a depth-first search (DFS) traversal algorithm and strategically managing conditional jumps, it’s feasible to reconstruct the original control flow, allowing for the deobfuscation of samples into a format that facilitates thorough static binary analysis.

This approach delivers critical insights for security teams, enhancing their ability to analyze and detect the evolving “LummaC2” threat effectively.

Additionally, the deobfuscation process reconstructs original functions by eliminating elements added by the obfuscator while preserving the program’s semantics. This involves instruction rewriting, where the deobfuscated instructions replace the protected function, beginning from its entry point.

Source – Google

Two types of indirect jumps are considered: unconditional dispatcher blocks and conditional dispatcher blocks. The latter necessitates identifying the original jump type (such as ‘jz,’ ‘jnz,’ or ‘jl’) based on setcc instructions. The rebuilding process omits dispatcher instructions and any duplicates.

Next, offset relocation adjusts memory-referencing instructions (jumps and calls) to reflect new instruction locations following the removal of obfuscator code.

This technique has been applied to “LummaC2 malware,” utilizing “backward slicing” and “symbolic execution” to identify original instructions and eliminate dispatcher code.

The process ensures that the deobfuscated functions occupy less space than their obfuscated counterparts, with the leftover space filled by compiler padding (using “0xCC instructions”).

This method highlights the broader utility of “backward slicing” in reverse engineering and malware analysis.

Indicators Of Compromise (IOC)

MD5Associated Malware Family
d01e27462252c573f66a14bb03c09dd2LUMMAC.V2
5099026603c86efbcf943449cd6df54aLUMMAC.V2
205e45e123aea66d444feaba9a846748LUMMAC.V2
IOC
Share this post :