LummaC2 malware: new technique to evade analysis in a sandbox environment

LummaC2 malware: new technique to evade analysis in a sandbox environment

LummacC2noto infostealer sold on underground forums since late last year, it surprised security experts with a new and unexpected feature.

We are talking about an advanced technique”anti-sandbox” which, exploiting the mathematical principle of trigonometryis able to avoid the analysis of security experts and obfuscate more effectively.

Written in programming language C, LummaC2 has gotten several updates in the previous months, although this latest one looks set to significantly impact the spread of the malware. There version 4.0is used by users with a encrypt in support: all this makes the malicious agent even more difficult to detect.

As explained by Alberto Marinresearcher at Outpost24, the technique to thwart sandbox analyzes involves delaying the launch of the malware. This, in fact, would be activated only when it identifies “human” behavior on the infected machine.

LummaC2 and its anti-sandbox system: it’s all about the mouse

The same researcher then clarified how the technique involves analyzing the cursor positions which, according to some mathematical calculations, reveal human intervention or not. In fact, most analysis tools do not realistically emulate mouse movements and, therefore, are easy to recognize for specially created software.

The position of the pointer is analyzed for five timeswith intervals of 300 milliseconds. These tests are repeated several times, compared with each other and then analyzed by the malware, highlighting whether the infected subject is a user or a controlled environment designed to examine his actions.

As is easy to imagine, this type of behavior is detrimental to malware analysis and, therefore, prolongs its existence and effectiveness. Security experts will certainly be able to find a countermove, but this will still take time cybercriminalithey will certainly exploit it to their advantage.


Leave a Reply

Your email address will not be published. Required fields are marked *