LummaC2 Malware Distributed Disguised as Total Commander Crack
Summary:
Researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a malware campaign distributing the LummaC2 information stealer disguised as a cracked version of Total Commander, a popular Windows file management tool. The campaign targets users seeking unauthorized access to the software’s premium features, luring them to download illicit copies from unverified sources. Although Total Commander is officially available through ghisler[.]com, attackers have created fake cracked versions with embedded malware that mimic the legitimate software’s interface and version history to appear authentic. The infection chain initiates when users search for “Total Commander Crack,” leading them through a series of deliberate redirections, including a fake Reddit thread, to a malicious download link. This method filters out accidental clicks, ensuring that only users intentionally seeking the cracked version are infected. Once the victim initiates the download, a double-compressed RAR archive is executed, protected by a password to evade detection. After extraction, an NSIS installer script runs a heavily obfuscated batch file, which deploys the LummaC2 payload. The batch script first checks for the presence of security tools like Avast, Sophos, and Bitdefender. If no security software is detected, it decrypts and assembles the LummaC2 components from fragmented binary blobs.
Security Officer Comments:
LummaC2 has emerged as a widely used malware strain in cyberattacks due to its effectiveness as an info-stealer. Once deployed on a victim's machine, LummaC2 is capable of exfiltrating sensitive data, including browser credentials, cryptocurrency wallets, and autofill information. This stolen data is then transmitted to servers controlled by the attackers, enabling them to gain unauthorized access to a victim's online accounts and potentially use the information for malicious purposes, such as laundering funds or compromising other platforms of interest. The technique of using fake software downloads to distribute malware is not novel but remains a popular and highly effective method for infecting unsuspecting users. By luring victims to download seemingly legitimate software, such as cracked versions of popular programs, attackers are able to exploit their trust and gain access to valuable personal information, often without the user realizing they've been compromised until it’s too late.
Suggested Corrections:
Users should avoid downloading software from untrusted or unofficial sources, particularly cracked versions of paid programs. Users should also ensure their devices are protected with up-to-date antivirus software and regularly scan for malware. Enabling multi-factor authentication on sensitive accounts can provide an additional layer of security, making it harder for attackers to misuse stolen credentials. Additionally, users should be cautious of suspicious links and redirects and consider using reputable browsers with built-in security features to block malicious downloads.
IOCs can be accessed here.
Link(s):
https://asec.ahnlab.com/en/86435/
Researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a malware campaign distributing the LummaC2 information stealer disguised as a cracked version of Total Commander, a popular Windows file management tool. The campaign targets users seeking unauthorized access to the software’s premium features, luring them to download illicit copies from unverified sources. Although Total Commander is officially available through ghisler[.]com, attackers have created fake cracked versions with embedded malware that mimic the legitimate software’s interface and version history to appear authentic. The infection chain initiates when users search for “Total Commander Crack,” leading them through a series of deliberate redirections, including a fake Reddit thread, to a malicious download link. This method filters out accidental clicks, ensuring that only users intentionally seeking the cracked version are infected. Once the victim initiates the download, a double-compressed RAR archive is executed, protected by a password to evade detection. After extraction, an NSIS installer script runs a heavily obfuscated batch file, which deploys the LummaC2 payload. The batch script first checks for the presence of security tools like Avast, Sophos, and Bitdefender. If no security software is detected, it decrypts and assembles the LummaC2 components from fragmented binary blobs.
Security Officer Comments:
LummaC2 has emerged as a widely used malware strain in cyberattacks due to its effectiveness as an info-stealer. Once deployed on a victim's machine, LummaC2 is capable of exfiltrating sensitive data, including browser credentials, cryptocurrency wallets, and autofill information. This stolen data is then transmitted to servers controlled by the attackers, enabling them to gain unauthorized access to a victim's online accounts and potentially use the information for malicious purposes, such as laundering funds or compromising other platforms of interest. The technique of using fake software downloads to distribute malware is not novel but remains a popular and highly effective method for infecting unsuspecting users. By luring victims to download seemingly legitimate software, such as cracked versions of popular programs, attackers are able to exploit their trust and gain access to valuable personal information, often without the user realizing they've been compromised until it’s too late.
Suggested Corrections:
Users should avoid downloading software from untrusted or unofficial sources, particularly cracked versions of paid programs. Users should also ensure their devices are protected with up-to-date antivirus software and regularly scan for malware. Enabling multi-factor authentication on sensitive accounts can provide an additional layer of security, making it harder for attackers to misuse stolen credentials. Additionally, users should be cautious of suspicious links and redirects and consider using reputable browsers with built-in security features to block malicious downloads.
IOCs can be accessed here.
Link(s):
https://asec.ahnlab.com/en/86435/