The information-stealing Lumma malware now uses an interesting tactic to evade detection by security software – measuring mouse movements using trigonometry to determine whether the malware is running on a real machine or in an antivirus sandbox.
Το Lumma (ή LummaC2) είναι ένας κλέφτης πληροφοριών κακόβουλου λογισμικού ως υπηρεσία που ενοικιάζεται σε εγκληματίες του κυβερνοχώρου για συνδρομή μεταξύ 250 και 1.000 $. Το κακόβουλο λογισμικό επιτρέπει στις επιθέσεις να κλέβουν δεδομένα από προγράμματα περιήγησης ιστού και εφαρμογές που εκτελούνται στα Windows 7-11, συμπεριλαμβανομένων κωδικών πρόσβασης, cookies, πιστωτικών καρτών και πληροφοριών από πορτοφόλια cryptcurrencies.
The malware family became available for purchase on cybercrime forums for the first time in December 2022, and a few months later, KELA reported that it had already started to gain popularity in the underground community. hacking.
Malware developers turn to trigonometry
A new Outpost24 report looking at the new version 4.0 of Lumma Stealer, we found several important updates to how the malware evades detection and prevents automated analysis of its samples.
These avoidance techniques include control flow flattening obfuscation, human-mouse activity detection, encrypted XOR strings, support for dynamic configuration files, and enforcing the use of encryption in all versions.
The most interesting of the above mechanisms is the use of trigonometry to detect human behavior, indicating that the infected system is not simulated in a virtual environment.
The malware tracks the position of the mouse cursor on the host using the 'GetCursor()' function and records a series of five distinct positions at 50 millisecond intervals.
It then applies trigonometry to parse these positions as Euclidean vectors, calculating the angles and magnitudes of the vectors formed by the detected motion.
If the calculated vector angles are below 45 degrees, Lumma assumes that the malware's movements are not emulated by software, allowing execution to continue.
If the angles are 45 degrees or more, the malware stops all malicious behavior, but continues to track mouse movement until human-like behavior is detected.
The choice of a 45-degree threshold in Lumma's anti-sandbox mechanism is an arbitrary value set by the malware developer and likely based on empirical data or research on the operation of automated analysis tools.
Another interesting development regarding the Lumma feature is the requirement to use encryption to protect the malware executable from leakage to unpaid hackers and threat analysts.
Lumma now automatically checks for a specific value at a specific offset in the executable to determine if it is encrypted and provides a warning if it is not.
As a last line of defense against auditing, Lumma 4.0 incorporates barriers into its code, such as opaque predicates that unnecessarily complicate program logic and dead code blocks inserted into functional code segments to create confusion and parsing errors.
The latest version of the Lumma stealer exhibits an increased emphasis on avoiding analysis, introducing multiple layers of safeguards designed to thwart and complicate any attempts to dissect and understand its mechanisms.