LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT

Key Takeaways

  • The blog delves into a new infection approach to disseminating the SectopRAT final payload.
  • Providing insight into LummaC stealer and its method of procuring the Amadey bot malware.
  • The Amadey bot replicates itself to ensure persistence, generating an LNK file within the startup folder directory. Upon being started, this LNK file triggers the execution of the duplicated instance of the Amadey.
  • Execution of the Amadey bot retrieves the SectopRAT payload through downloading, subsequently running within the victim’s system.

Executive Summary

LummaC, an information stealer, is being distributed through a Malware-as-a-Service (MaaS) model on Russian-speaking forums. This malware is designed to pilfer sensitive data from infected devices. Among the data targeted are cryptocurrency wallets, browser extensions, two-factor authentication codes, and various files. The Threat Actors (TAs) accountable for this malware have consistently introduced improved iterations of LummaC. This new iteration boasts several additional features, including the ability to load other malware files (introduced in version 19.07) while the main information-stealing malware is executing on the victim’s system, as mentioned in the image below.

Loader, LummaC, Stealer, Telegram
Figure 1 – New Loader feature of LummaC stealer mentioned in the TA’s Telegram channel

Cyble Research & Intelligence Labs (CRIL) has recently come across a novel approach for spreading SectopRAT. This technique entails delivering the SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from the LummaC stealer, as illustrated in the figure below.

Infection chain, malware, Stealer
Figure 2 – Infection chain

Detailed information about these techniques can be discussed in the Technical Analysis section.

Initial Infection

In most cases, the LummaC Stealer has been disseminated through phishing websites that impersonate genuine software sources, as well as via spear-phishing emails.

Historically, the LummaC stealer distributed through deceptive websites like counterfeit Microsoft Sysinternals Suite. It also aimed at YouTubers by employing spear-phishing emails and was further disseminated by masquerading as illicit software cracks.

Technical Analysis

We’ve encountered several ZIP files in the wild that seem to contain the LummaC stealer malware. It’s possible that these files are being distributed through a YouTube campaign disguised as software setup files. A few examples of these filenames include:

• Newest_Setup_123_UseAs_PassKey.zip
• Latest_Setup_Use__PassWord__224466.zip
• Latest_Setup_Use_224466_As_PassCode.zip
• Latest_Setup_Use__PassWord__224466.zip
• New_PC_Setup_PassWord_UseAs_224466.zip
• $#E-R1-Setup-Password-123.zip
• Active_Setup_113355_UseAs_PassKey.zip
• Setup_123_Passwords_Open_App.zip
• Passw0rdz_113355_Open_Setup_App.zip
• Active_Setup_With_224466_PassWord.zip

These files appear to have been deliberately named in a way that could attract users, potentially tricking them into running the contained malware. In this technical analysis, we analyzed a sample named “Active_Setup_With_224466_PassWord.zip.”

The SHA-256 hash of this ZIP archive file is 7b5500ada0bf017d0bac84b181076ebfd7220693748b9ca634f06271837edfb7.

The image below illustrates the contents of a ZIP archive featuring two directories named “Common Files” and “HMService.” These directories encompass numerous legitimate DLL files, while the ZIP archive itself contains an executable called “Setup.exe.” Importantly, the “Setup.exe” serves as a payload for the LummaC Stealer executable.

ZIP file, archive
Figure 3 – Content of ZIP archive file

The LummaC Stealer file (“Setup.exe,”), which is identified by its SHA256 hash: f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144. This particular binary file is a 32-bit GUI-based .NET Reactor executable.

LummaC Stealer

LummaC Stealer is malware designed to gather sensitive information from compromised devices illicitly. This includes a variety of data, such as cryptocurrency wallets, browser extensions, two-factor authentication codes, and files. LummaC Stealer is offered as a service by its creators, available on underground forums and Telegram channels primarily used by Russian speakers since at least August 2022. The seller of this software has been actively marketing LummaC Stealer since April 2022, releasing new versions and responding to questions on underground forums, Telegram channels, and a dedicated website.

According to the information provided by TAs, LummaC2 represents a next-gen stealer with an impressive success rate. Notably, it operates effectively even on clean systems, devoid of any dependencies whatsoever. Its key features include server-based log decryption. LummaC2 specializes in pilfering data from Chromium and Mozilla-derived browsers, encompassing about 70 browser-based cryptocurrencies and 2FA extensions. The toolkit encompasses a non-resident Loader, a dynamic low-level file grabber, and the latest innovation, the BINARY MORPHER.

When the “Setup.exe” is executed, it initiates the process of injecting the malicious LummaC Stealer content into the memory of “RegAsm.exe”, as shown below.

LummaC, Stealer, Process Tree
Figure 4 – LummaC stealer process tree

 

Once successfully installed on a targeted system, LummaC Stealer orchestrates covert operations to collect important system details, such as operating system version, hardware identifiers, CPU specifications, RAM details, screen resolution, and system language. With this information, the malware extracts sensitive data from designated applications, concentrating on web browsers, cryptocurrency wallets, two-factor authentication extensions, and others.

The figure below displays memory content within RegAsm.exe, containing strings associated with the URL of the LummaC Stealer’s command-and-control server.

LummaC, Stealer, Command and Control, RegAsm
Figure 5 – LummaC C&C strings present in RegAsm memory

 

LummaC Stealer’s impact is significant, spanning various web browsers such as Chrome, Mozilla Firefox, Microsoft Edge, and others. Within these environments, the stealer gains access to browsing histories, internet cookies, login details, personal data, credit card information, and other valuable data.

After gathering all the sensitive information from the targeted system, the stealer encrypts the collected data and sends it to the C&C server, as depicted in the image below.

  • hxxp[:]//exitlife[.]xyz/c2sock
LummaC, Command and Control
Figure 6 – LummaC C&C communication

 

CRIL has already published a comprehensive blog post offering a detailed examination of LummaC Stealer. The blog can be accessed here.

Furthermore, the LummaC Stealer retrieves the Amadey bot malware by downloading it from the following URL, as depicted in the below figure.

  • hxxp[:]//africatechs[.]com/Amdaygo[.]exe
AmadetBot, LummaC
Figure 7 – Presence of Amadey payload URL in LummaC memory

Amadey Bot

Amadey Bot is a type of malware that was identified in 2018. It can carry out tasks like exploring compromised systems, gathering data, and loading additional malicious payloads. During its early stages, it was disseminated through exploit kits. TAs used it to introduce different types of malware, including the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan (RAT). In 2022, associates linked to the LOCKBIT group employed the Amadey bot to distribute ransomware to their targets.

The Amadey bot, once retrieved by the LummaC Stealer, is saved and executed within the Temp directory with the below-specified filename:

  • C:\Users\user\AppData\Local\Temp\hhwjilxtgukpvvhbpo.exe

The Amadey bot is a 32-bit GUI type .NET Reactor executable with sha256 d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c.

After being executed, the Amadey malware copies itself to the following location and executes it.

  • C:\Users\user\Videos\edddegyjjykj.exe

Additionally, it creates an LNK file that, when clicked, executes the dropped copy of itself “edddegyjjykj.exe” file. This LNK file is dropped into the below startup folder location to maintain persistence.

  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edddegyjjykj.lnk

During the execution, Amadey establishes communication with its C&C server, regularly transmitting system details such as OS version, architecture, username, installed antivirus software, etc. Additionally, it queries the server to receive instructions. The primary feature of Amadey is its capability to deploy other payloads to all compromised computers or selectively to those targeted by the malware.

The below figure illustrates the malware sending system information to the C&C server through the following URL:

  • hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php
Amadey, Exfiltration
Figure 8 – Amadey exfiltration

CRIL has previously released an extensive blog post that provides an in-depth analysis of Amadey Bot. It can be accessed here.

Moreover, the malware downloads an additional malicious payload from the following URL, as mentioned in the figure below.

  • hxxp[:]//patriciabono[.]com/BRR[.]exe
Amadey
Figure 9 – Amadey C&C communication

 

The image below depicts the malware’s memory content, including strings related to the Amadey bot’s C&C server, as well as the URL for the SectopRAT payload.

SectopRAT, Amadey
Figure 10 – Presence of SectopRAT payload URL in Amadey memory

SectopRAT

SectopRAT (aka Arechclient) is a Remote Access Trojan (RAT) built using the .NET compiler. It boasts a wide array of functionalities, including the pilfering of browser data and cryptocurrency wallet details. It can establish a concealed secondary desktop, which it uses to oversee and manipulate browser sessions. Notably, SectopRAT is equipped with Anti-VM and Anti-Emulator mechanisms intended to complicate malware analysis. These techniques alter the malware’s behavior within environments designed for analysis, making it challenging to discern its true malicious nature.

After being downloaded by Amadey, the SectopRAT is stored and executed in the Temp directory using the below folder and filename:

  • C:\Users\user\AppData\Local\Temp\1000349051\BRR.exe

The SectopRAT is a 32-bit executable, protected using the Themida packer, and its SHA256 is 501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4.

Once the “BRR.exe” is executed, the malware begins scanning through the target system’s directories. It aims to retrieve sensitive data from files such as “Cookies,” “Local State,” “Login Data,” and “Web Data.” These files are sourced from a diverse array of over 35 web browsers, gaming platforms, and other software applications that have been installed on the compromised system.

The following figure illustrates the browsers, games, email clients, and other software that the malware focuses on to extract sensitive information.

SectopRAT, Trojan, Application list
Figure 11 – SectopRAT target application list to steal sensitive information

Furthermore, it can steal important details from various cryptocurrency wallets such as Atomic, Exodus, Electrum, and Daedalus Mainnet. The malware has the capability to not only access cryptocurrency wallets through specific directories but it can also retrieve data from crypto wallet browser extensions, as mentioned in the table below.

ckpaelocniggkheibcacecnmmlmeodfa CryptoBit
ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink
fhbohimaelbohpjbbldcngcnapndodjp Binance Wallet
nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask

 

SectopRAT connects to the C&C server for communication using the below IP:Port,

  • 95[.]143[.]190[.]57:15648

The below image depicts the activity associated with the initialization string. This string acted as a signal that the encryption status for the malware’s operations had been switched to “on” within the compromised system.

SectopRAT, Memory strings
Figure 12 – SectopRAT memory strings

Figure 12 – SectopRAT memory strings

Conclusion

The deliberate introduction of multiple malware strains strategically enhances the capabilities and control of the threat actors (TAs) over the compromised system. This integration empowers them to carry out a diverse range of malicious activities, starting from the initial breach and extending to data extraction and the potential for remote control access. Through these intricate maneuvers, the likelihood of evading detection is heightened, allowing for a prolonged presence within the system and effectively achieving their malicious goals.

The most recent iteration of LummaC stealer now possesses the capability to load additional malware into the targeted system. In this particular campaign, LummaC stealer is utilized to retrieve and install the Amadey bot, recognized for its tasks involving system assessment, data theft, and the deployment of supplementary malicious payloads. Subsequently, the Amadey bot is executed to fetch SectopRAT, a .NET Remote Access Trojan recognized for its diverse functionalities, including various undetected methods.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Implement sophisticated email filtering solutions to detect and prevent spam, phishing attempts, and malicious emails.
  • Refrain from accessing links and attachments from unfamiliar or untrusted sources. Always confirm the credibility of the sender before engaging with links or attachments
  • Download and install software applications solely from reputable and well-established sources. Avoid obtaining software from online sources that lack credibility or verification.
  • Install a reliable antivirus and comprehensive internet security suite on all devices. Regularly update and scan for potential threats to ensure ongoing protection.
  • Utilize URL filtering tools to block access to known malicious websites and domains. Prevent users from inadvertently downloading malware from dangerous URLs.
  • Conduct periodic cybersecurity training sessions for employees. Educate them about the latest threats, phishing tactics, and the risks of email attachments and links.
  • Emphasize the importance of not downloading or executing files from unknown sources. Raise awareness about the potential consequences of interacting with suspicious content.
  • Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Execution T1204
T1047
User Execution
Windows Management Instrumentation
Persistence T1547.001 Registry Run Keys / Startup Folder
Privilege Escalation T1055 Process Injection
Defense Evasion T1497
T1027
T1562T1027.002T1140
T1620
Virtualization/Sandbox Evasion
Obfuscated Files or Information
Disable or Modify ToolsSoftware Packing
Deobfuscate/Decode Files or Information
Reflective Code Loading
Credential Access T1003
T1056
OS Credential Dumping
Input Capture
Discovery T1057
T1012
T1082
T1083
T1518.001
Process Discovery
Query Registry
System Information Discovery
File and Directory DiscoverySecurity Software Discovery
Collection T1005 Data from Local System
C&C T1071
T1573
T1105
Application Layer Protocol
Encrypted Channel
Ingress Tool Transfer

Indicators of Compromise (IOCs)

Indicators Indicator
Type
Description
507bddfabd74a3d024b2ad5f67d666ea
78eac92e0040e033406e6786b58b8a367fe171fa
f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144
MD5

SHA1

SHA256

LummaC
Stealer exe
952d825a264745bb52b6977ba5983568
627a0a841c2fe194dd54f9ec6b0c1231d7da135f
d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c
MD5

SHA1

SHA256

Amadey Bot
exe
f290ed868caae994bbfae1b63aca1d28
5ac7b60e56281dc0c72f7c1125b165867df56ed9
501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4
MD5

SHA1

SHA256

SectopRAT
exe
hxxp[:]//exitlife[.]xyz/c2sock URL LummaC stealer C&C
hxxp[:]//africatechs[.]com/Amdaygo[.]exe URL Amadey
Payload URL
hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php URL Amadey C&C
hxxp[:]//patriciabono[.]com/BRR[.]exe URL SectopRAT Payload URL
95[.]143[.]190[.]57:15648 IP:Port SectopRAT C&C
ca21c5b129c001c2b51359d5f74c0a99667028810623b779190b13f0de86369e

929f7b467d96d8d9c73bfa9b8adf758c1b3993c9438f23368c69e1201beea622

515ab212127cc722326043d77dda60943145798bfe8b17178937a254989367f1

0d8dee5e24500219f037e673324479f22cc5649c2aafdfe47b35375b6b76e60b

e0ac5909e219d4527691ea695185313376a0ccb075907b1deecd4e2aeae42cba

9252e999b76b9628ad0942df2649e1203ca078d1b45dab6a8f1ede3e22b99625

51cb8641ed75c5037fa657ed2aa33c71350e01f5f949054f17582ca41c260280

f819a1d2234c2755a8dc844f89e765de56c1c927f3964a1453961cec4fd38bae

SHA256 Similar
LummaC Stealer
exe files
0539d46a6e61dd3ce32a4b41c0554f925f4b26054c49451accec7ccad0409846
2c256a4a1ac022bcd3784d19e66934056015e20b49d58238ce4f3dfb37bfd98d
SHA256 Similar
Amadey
exe files
a3ceda3ef0a7b72145124def334dd3fa337614a1170960826016996151188fc5

033cafb9fcd3d50d858164c117ee2a1c9e7fe95b4d027315bc9d1186e655d583

81f4e0d6a70f14c3e07241196bd7f5318e302c28c64ca4bb876f4e25fbc3e5d2

ffd45c2b562d30113cb9a4823025a9a162503017e9d81fd96ddb5b98e5bb89bd

501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4

fb553e12381d42a612c713968078424201794a35fd13c681ae7faa77bf18e553

641710df66c792439f85b79879a268caa17b78ea0bf6924369fa6131fda01cd5

SHA256 Similar
SectopRAT
exe files
hxxp://enfantfoundation[.]com/amday[.]exe URL Similar
AmadeyPayload URL
hxxp://fuji-iasi[.]ro/BRR[.]exe

hxxps://earthqik[.]co[.]za/BR[.]exe

hxxp://silversoft[.]in/BR[.]exe

hxxp://tbmcoats[.]com/BRRR[.]exe

hxxp://aviangas[.]co[.]ke/BRRRRAS[.]exe

URL Similar
SectopRAT Payload URL

ET Rules

Malware
2046637 ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt LummaC Stealer
2039423 ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M1
2043206 ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
2039425 ET MALWARE Win32/Lumma Stealer CnC Domain (765mm .xyz) in DNS Lookup
2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 Amadey Bot
2045752 ET MALWARE Win32/Amadey Payload Request (GET)
2044623 ET MALWARE Amadey Bot Activity (POST)
2044695 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

YARA Rules

rule LummaC_Stealer

{

meta:

author = “Cyble”

description = “Detects LummaC Stealer Files”

date = “2023-08-10”

os = “Windows”

threat_name = “LummaC Stealer”

scan_type = “Memory”

severity = 100

reference_sample = “a53dafb72659e7aa4f36a6626b01aad9cc44500d5d4c1ee7a96c957a4e556d02”

strings:

$a = “/c2sock” ascii wide

$b = “TeslaBrowser” ascii wide

$c = “Software.txt” ascii wide

$d = “System.txt” ascii wide

$e = “/c2conf” ascii wide

condition:

all of them

}

rule AmadeyBot

{

meta:

author = “Cyble”

description = “Detects Amadey Bot Files”

date = “2023-08-10”

os = “Windows”

threat_name = “Amadey Bot”

scan_type = “Memory”

severity = 100

reference_sample = “a58f0d4b2a0100a12eb8a5690522d79d510adafa9235d11e4b714dda8c87b341”

strings:

$a = “/index.php” ascii wide

$b = “\\MsBuild.exe” ascii wide

$c = “id=” ascii wide

$d = “&av=” ascii wide

$e = “&pc=” ascii wide

$f = “&un=” ascii wide

condition:

all of them

}

rule SectopRAT

{

meta:

author = “Cyble”

description = “Detects SectopRAT Files”

date = “2023-08-10”

os = “Windows”

threat_name = “SectopRAT”

scan_type = “Memory”

severity = 100

reference_sample = “75e64bd57bfaad471d202d46b726473ccf2182d9d511a32304903324648a90b1”

strings:

$a = “\\User Data” ascii wide

$b = “EncryptionStatus\”,\”Status” ascii wide

$c = “BotName” ascii wide

$d = “BotOS” ascii wide

$e = “URLData” ascii wide

$f = “Web Data” ascii wide

$g = “User Data\\Local State” ascii wide

condition:

all of them

}

 

Scroll to Top