The ever-evolving LummaC2 infostealer now has a 4.0 version that makes use of a novel anti-sandbox technique that forces the malware to wait until “human” behavior is detected in the infected machine.
The technique uses trigonometry to take into consideration different positions of the cursor in a short interval so the malware can avoid detonation in a sandbox and execute it on the target system when the malware detects a human moving a mouse.
In a Nov. 20 blog post, Outpost24 researchers reported that infostealers such as LummaC2 4.0 pose significant risks because they have the potential to inflict substantial harm on individuals and organizations, including privacy breaches and the unauthorized exposure of confidential data.
The researchers said they believe LummaC2 4.0 functions as a dynamic malware strain that remains under active development, constantly enhancing its codebase with additional features and improved obfuscation techniques, along with updates to its control panel.
“The ongoing usage of this malware in real-world scenarios indicates that it will likely continue to evolve, incorporating more advanced features and security measures in the future,” wrote Alberto Marin, reverse engineering team lead at Outpost24.
Marin said like his team saw in earlier LummaC2 advertisements in underground forums, the researchers recommend protecting the malware with a crypter to avoid leaking it anywhere in its pure form.
Monitoring the cursor for more human-like behavior with some simple math is similar to techniques we’ve seen in mobile apps where the malware checks for the presence of certain language packs to avoid “blue-on-blue” scenarios, explained Andrew Barratt, vice president at Coalfire.
“This just continues the game of chicken we have to play,” said Barratt. “Sandbox-based analysts will now have to ensure they’re emulating mouse activity based on actual patterns or that just follows the tracking requirements. The upside of this research is that movement-faking apps can be used to follow these specific patterns, so it’s only really going to evade the less sophisticated of researchers.”
Anurag Gurtu, chief product officer at StrikeReady, added that the recent research by Outpost24 on the LummaC2 anti-sandbox technique presents a fascinating and innovative approach. Gurtu said using trigonometry for human detection in this context is not just ingenious, it marks a significant advancement in understanding and mitigating sophisticated cyber threats.
Gurtu said this technique’s ability to differentiate between human and automated interactions within a system showcases the evolving complexity of security measures and the corresponding need for equally advanced countermeasures.
“As cyberthreats become more intricate, incorporating mathematical concepts like trigonometry into security protocols could be a game-changer,” said Gurtu. “It underscores the importance of interdisciplinary approaches in cybersecurity: blending mathematics, computer science, and behavioral analysis.
"This development is a clear indicator of the future direction of cybersecurity, where traditional methods may no longer suffice, and innovative solutions become crucial," he continued. "It also raises important questions about the balance between security and user privacy, and how new technologies might impact this dynamic.”