Security researchers have uncovered a sophisticated malware campaign distributing the LummaC2 information stealer disguised as a cracked version of Total Commander. This attack specifically targets users searching for pirated copies of the popular file management software, leveraging multi-stage redirection and advanced obfuscation techniques to evade detection.
Campaign Overview
The AhnLab Security Intelligence Center (ASEC) recently identified this operation distributing LummaC2 through fake Total Commander installers. Attackers have created an elaborate delivery chain involving:
- Google Colab drives hosting download instructions
- Fake Reddit threads promoting the cracked software
- Password-protected RAR archives containing the malicious payload
This multi-step approach requires manual user interaction, filtering for targets deliberately seeking unauthorized software copies.
Technical Delivery Mechanism
The attack employs several evasion techniques that security teams should monitor:
Payload Packaging
The malicious installer arrives as an NSIS-compressed executable (installer_1.05_38.2.exe) containing:
- Obfuscated batch scripts using variable substitution
- AutoIt interpreter for script execution
- Memory-resident LummaC2 payload to avoid file-based detection
Execution Flow
The malware deploys through a three-stage process:
- NSIS installer extracts and runs a heavily obfuscated batch script
- Script decrypts and loads an AutoIt (.a3x) file containing the malware
- LummaC2 executes directly in memory without file artifacts
Malware Capabilities
LummaC2, first identified in early 2023, specializes in harvesting sensitive information including:
- Browser credentials (Chrome, Edge, Firefox)
- Cryptocurrency wallet data (MetaMask, Exodus)
- Email client profiles (Outlook, Thunderbird)
- Session cookies and auto-fill data
Recent ASEC reports indicate stolen credentials have facilitated subsequent network breaches, demonstrating the operational impact of these infections.
Detection and Mitigation
Security teams should implement these protective measures:
Endpoint Protection
- Monitor for AutoIt script execution from temporary directories
- Block NSIS installers writing executable content to %TEMP%
- Implement application allowlisting for installer technologies
Network Controls
Detect C2 communication through these indicators:
- Connections to known LummaC2 IPs (185.143.223.*)
- DNS requests for suspicious TLDs (.top, .xyz)
- Encrypted traffic to newly registered domains
Security Implications
This campaign demonstrates several concerning trends:
- Defense Evolution: Use of legitimate tools (AutoIt/NSIS) for malicious purposes
- Target Selection: Focus on IT professionals likely to use file management tools
- Operational Impact: Credential theft enabling secondary network breaches
Organizations should prioritize user education about software piracy risks while implementing technical controls to detect these sophisticated delivery methods.
References
- ASEC Technical Analysis – Detailed breakdown of the attack chain
- Hacker News Coverage – Campaign overview
- Cyber Press Report – Additional context on Total Commander targeting
