The stealer now enumerates the %userProfile% directory and grabs. Figure 8 – System Information Extracted by the Stealer The below figure shows the code snippet of malware for collecting system information. The malware stores this information in the memory under the name system.txt. It starts extracting multiple pieces of information from the system, including LummaC2 Build, Lumma ID, Hardware ID, Screen Resolution, System Language, CPU Name, and Physical Memory. Figure 7 – Assembly Code to Replace the edx765 StringĪfter getting the required strings, the malware resolves the APIs. The figure below shows the routine for string manipulation. Upon execution, the stealer passes the obfuscated string to a function that strips the random string and delivers the original string. The stealer has many Obfuscated strings that are being covered by a random string, “edx765”, to evade detection. Figure 6 – File Details of LummaC2 Stealer The figure below shows the additional file details of the LummaC2 stealer executable. The figure below shows the login page of the LummaC2 Stealer’s Command and Control (C&C) server. The figure below illustrates the IP addresses of these servers, one located in Bulgaria and the other in Germany. The researchers at CRIL found two active Command and Control servers connected to the LummaC2 Stealer. Figure 3 – Telegram Post by the Threat Actors In addition, Threat Actors (TAs) behind the LummaC2 Stealer have created two Telegram channels in Russian: one for sharing information about the stealer and one for reporting bugs in the malware. Figure 2 – LummaC2 Stealer Sellers Website The image below shows the website where the stealer is available for sale. The website also offers various purchasing options for potential Threat Actors(TAs), with prices ranging from $250 to $20000 depending on the plan. The post also mentioned the link to LummaC2 Stealer’s seller website, which is written in Russian. ![]() Figure 1 – Dark Web Post for LummaC2 Stealer The figure below shows the dark web post by the Threat Actors. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine. ![]() The latter simply tells opera to do something else when pressing the shortcut again you can then toggle many options.New Stealer Targeting Crypto Wallets and 2FA Extensions of Various Browsersĭuring a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. I'm not proficient but you could also create a series and/or combination of actions with & and/or |. That is useful for those few who use the great MDI feature of Opera ( + some skins have a transparent blank tab that i use as background with non-maximized pages/tab). I set mine at alt+f because i already had alt+d to Hide speed dial contents, wich then blanks the current tab, with an option at left bottom to show speed dial. So :: Menu > Settings > Preferences (Ctrl F12) > Advanced tab > shortcuts > Edit (a copy of Opera Standard preferably) > Application > New > Action: Show speed dial. > Note that pressing your shortcut again will toggle back to your page. ![]() Yes, that simple, > you had to try to find a similar statement in the options that pop up when you start creating your shortcut. Any way, back on topic, you can simply create a shortcut with the Action value: Show speed dial. If that was corrected the popularity of the browser would highly increase, i believe. There definitely is something incomplete in the way Opera promotes or makes accessible all its options.
0 Comments
Leave a Reply. |