Thursday, December 5, 2024
Homecyber securityLummaC2 Malware Using Steam Gaming Platform as C2 Server

LummaC2 Malware Using Steam Gaming Platform as C2 Server

Published on

SIEM as a Service

Cybersecurity experts have uncovered a sophisticated variant of the LummaC2 malware that leverages the popular Steam gaming platform as a Command-and-Control (C2) server.

This new tactic marks a significant evolution in the malware’s distribution and operational mechanisms, posing a heightened threat to users and organizations worldwide.

The Rise of LummaC2

LummaC2 is an information-stealing malware that has been actively distributed by masquerading as illegal programs such as cracks, keygens, and game hacks.

- Advertisement - SIEM as a Service

These malicious files are disseminated through various channels, including distribution sites, YouTube, LinkedIn, and even search engine advertisements, using a technique known as SEO poisoning.

Recently, the malware has also been disguised as legitimate applications like Notion, Slack, and Capcut, further broadening its reach.

According to the ASEC ahnlab reports, Initially, LummaC2 was distributed as a single executable (EXE) file or through DLL-SideLoading, where a malicious DLL is compressed together with a legitimate EXE file.

This method allowed the malware to execute its payload while remaining under the radar of many security systems.

Distribution in single EXE form (left), distribution in DLL form (right)
Distribution in single EXE form (left), distribution in DLL form (right)

Exploiting Steam for C2 Domains

In its latest variant, LummaC2 has adopted a novel approach by exploiting the Steam gaming platform to obtain C2 domain information. Previously, all C2 information was embedded within the malware sample itself.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

However, attackers can dynamically change the C2 domain by leveraging a legitimate platform like Steam, enhancing the malware’s resilience and reducing the likelihood of detection.

This technique is not entirely new; it mirrors the strategy used by the Vidar malware, which has a history of exploiting various legitimate platforms such as TikTok, Mastodon, and Telegram to obtain C2 information.

LummaC2 exploit Steam page (left), Vidar exploit Steam page (right)
LummaC2 exploit Steam page (left), Vidar exploit Steam page (right)

Decryption and Execution

Upon execution, LummaC2 decrypts its internal encrypted strings to obtain C2 domain information. The encryption uses Base64 and a proprietary algorithm, with each sample containing approximately 8 to 10 C2 domains.

C2 domain decryption code
C2 domain decryption code

The malware initiates a Steam connection routine if all embedded C2 domains are inaccessible. Unlike the C2 domain, the Steam URL is stored in executable code, and the decryption algorithm differs.

The Steam URL points to a Steam account profile page believed to be created by the attacker. The malware obtains a string by parsing the “actual_persona_name” tag on this page, which is then decrypted using the Caesar cipher to reveal the C2 domain.

Steam account page source
Steam account page source

Dynamic C2 Domain Management

Using a legitimate domain like Steam, with its vast user base, helps reduce suspicion and allows the attacker to change the C2 domain if needed easily.

This flexibility increases the attack’s success rate and makes it more challenging for security systems to block the malware.

Once the C2 domain is decrypted, LummaC2 connects to the C2 server and downloads an encrypted settings JSON file. This file is then decrypted, and the malware performs various malicious actions based on the settings.

The stolen information is sent back to the C2 server and includes:

  • Wallet program information
  • Browser storage information
  • Password storage program information
  • TXT files in the user directory
  • Messenger program information
  • FTP program information
  • VPN program information
  • Remote program information
  • Memo program information
  • Mail program information
  • Browser extension plugin (virtual currency wallet) information
Part of LummaC2 settings JSON
Part of LummaC2 settings JSON

The exploitation of the Steam gaming platform by LummaC2 malware represents a significant escalation in cyber threats.

By leveraging a legitimate and widely used platform, attackers can dynamically manage C2 domains, making the malware more resilient and harder to detect.

This development underscores the need for heightened vigilance and advanced security measures to protect against evolving cyber threats.

Recommendations

To mitigate the risk posed by LummaC2 and similar malware, users and organizations should:

  1. Avoid Downloading Illegal Software: Refrain from downloading cracks, keygens, and game hacks from untrusted sources.
  2. Use Reputable Security Software: Employ advanced antivirus and anti-malware solutions that can detect and block such threats.
  3. Regularly Update Software: Ensure all software, including security programs, is up-to-date to protect against known vulnerabilities.
  4. Educate Users: Raise awareness about the dangers of downloading and executing unknown files, and promote safe online practices.
  5. Monitor Network Traffic: Implement network monitoring tools to detect unusual traffic patterns that may indicate a malware infection.

By adopting these measures, users and organizations can better defend against LummaC2’s sophisticated tactics and other evolving cyber threats.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...