The AhnLab Security Intelligence Center (ASEC) has uncovered a new cyberattack campaign leveraging the LummaC2 malware, which is being distributed under the guise of a cracked version of Total Commander.
Total Commander is a widely used Windows file management tool offering features like advanced search, folder synchronization, and FTP/SFTP support.
While the legitimate software provides a one-month free trial before requiring a paid license, threat actors have exploited its popularity by targeting users seeking illegal, cracked versions of the tool.
The attack begins when users search for “Total Commander Crack” online.
Among the search results, they encounter posts containing links to download the supposed crack.
These links redirect users through multiple pages, including Google Colab drives and disguised Reddit posts, before leading to the final download page.
This multi-step process is not automated but requires users to manually click through links, indicating that the attack specifically targets individuals attempting to obtain pirated software.
The downloaded file is a password-protected ZIP archive containing a double-compressed RAR file.
Inside it is an executable named “installer_1.05_38.2.exe,” which infects the system with LummaC2 upon execution.
The malware employs advanced obfuscation techniques, including multiple layers of compression using NSIS and AutoIt scripts.
When executed, the NSIS script uses the ExecShell command to run an obfuscated batch script (Nv.cmd).
This script employs techniques such as inserting variables into commands and adding meaningless strings to hinder analysis.
Once deobfuscated, it becomes clear that the script executes an AutoIt-based payload.
The AutoIt script includes both an encrypted LummaC2 binary and the shellcode required to decrypt and load it into memory at runtime.
This method of embedding malware within AutoIt scripts is a common tactic among cybercriminals.
LummaC2 is an information-stealing malware that has been active since early 2023.
It primarily targets users through illegal software downloads, such as cracks or serial generators.
Once installed on a victim’s system, LummaC2 exfiltrates sensitive data, including browser-stored credentials, email accounts, cryptocurrency wallet keys, and auto-login details for various programs.
The stolen data is sent to command-and-control (C&C) servers operated by threat actors and may subsequently be sold on dark web marketplaces or used for secondary attacks.
ASEC Reports indicate that personal data breaches caused by LummaC2 infections have led to corporate network compromises in some cases, amplifying its potential impact.
To mitigate the risks associated with this malware campaign, users are strongly advised to download software only from official sources and avoid pirated or cracked versions of applications.
Organizations should also implement robust endpoint security measures to detect and block malicious scripts and executables.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware…
In a recent escalation of cyber threats, hackers have launched a targeted campaign, identified as…
A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have…
A significant vulnerability has been discovered in the Sliver C2 server, a popular open-source cross-platform…
A significant breakthrough in bypassing Windows activation has been achieved with the introduction of TSforge,…
A malicious Android application, Finance Simplified (package: com.someca.count), has been identified on the Google Play…