A new report released today by cybersecurity company Outpost24 AB is warning of a new version of a notorious malware-as-a-service product — one that uses an innovative anti-sandbox technique based on human behavior detection through trigonometry.

The malware is LummaC2 v4.0, an update to the well-known LummaC2 information stealer. An information stealer is malware designed to covertly extract sensitive data, such as login credentials, financial information and personal identifiers, from an infected device. The latest iteration of the malware marks a significant evolution in its capabilities.

Information stealers are not new, but where LummaC2 v4.0 becomes interesting is its anti-sandbox mechanism. The new version delays the malware’s activation until it detects genuine human mouse activity, countering analysis systems that fail to emulate realistic mouse movements. LummaC2 v4.0 uses trigonometry to discern between human and artificial mouse movements, hampering the efforts of cybersecurity researchers in analyzing and mitigating such threats.

In addition to its anti-detection approach, LummaC2 v4.0 introduces several other new features that enhance its effectiveness and evasiveness. Leading the list is Control Flow Flattening Obfuscation, a default setting in the malware that disrupts the program’s natural flow to make analysis more challenging for cybersecurity experts. The obfuscation technique is crucial in concealing the malware’s true intent and complicating efforts to reverse-engineer its code.

LummaC2 v4.0 has upgraded its approach to securing sensitive strings within its code. The malware has moved away from basic modifications to using a type of encryption called XOR, ensuring that its strings remain undetected and protected from straightforward analysis methods. XOR encryption is a symmetric encryption technique that uses the XOR (exclusive or) logical operation to combine plaintext with a key, making it a straightforward yet effective method for data obfuscation.

Another notable update in the latest version is the implementation of dynamic configuration files. The files, essential for the malware’s operation, are retrieved from the command and control center and, to maximize security, are encoded in Base64 and then XORed, adding a layer of complexity to the decryption.

The mandatory use of crypters for malware builds is also being enforced. The requirement ensures that each instance of the malware is uniquely obfuscated, thereby reducing the likelihood of detection by standard antivirus and malware detection tools.

“Information Stealers such as LummaC2 v4.0 pose significant risks and have the potential to inflict substantial harm on both individuals and organizations, including privacy breaches and the unauthorized exposure of confidential data,” the report concludes. “The ongoing usage of this malware in real-world scenarios indicates that it will likely continue to evolve, incorporating more advanced features and security measures in the future.”

Image: DALL-E 3