A new version of the infamous information stealer Lumma has emerged with a sophisticated anti-sandbox technique.
Operating under the Malware-as-a-Service (MaaS) model, LummaC2 v4.0 introduces a novel approach to evading detection by sandboxes commonly utilized for malware analysis.
According to an advisory published by Outpost24 threat researcher Alberto Marín today, the stealer’s novel anti-sandbox technique relies on trigonometry to discern genuine human behavior, delaying its activation until authentic mouse activity is identified.
This innovative strategy involves capturing and analyzing cursor movements, requiring continuous and smooth motion to bypass the malware’s detection mechanisms.
“After checking that all five captured cursor positions meet the requirements, LummaC2 v4.0 uses trigonometry to detect ‘human’ behavior. If it does not detect this human-like behavior, it will start the process all over again from the beginning,” Marín explained.
The security expert added that the significance of LummaC2 v4.0 lies in its capacity for information theft, focusing on the acquisition and exfiltration of sensitive data such as login credentials and credit card details.
Additionally, its presence in underground forums since December 2022 and subsequent updates indicate an ongoing threat that could result in substantial financial losses for both individuals and organizations.
Read more on the Lumma malware: Phishing Sites and Apps Use ChatGPT as Lure
According to Marín, the introduction of trigonometry as an anti-sandbox measure reveals a level of sophistication that demands sustained scrutiny and the formulation of proactive defense strategies.
“LummaC2 v4.0 appears to be a dynamic malware strain that remains under active development, constantly enhancing its code base with additional features and improved obfuscation techniques, along with updates to its control panel,” the researcher wrote.
“The ongoing usage of this malware in real-world scenarios indicates that it will likely continue to evolve, incorporating more advanced features and security measures in the future.”