Lumma C2

Task:

Subject: Urgent Investigation Required – Potential Security Incident

We require your assistance in an urgent security investigation. While this may sound unusual, please hear us out.

Our CTO was watching a football match between Juventus and PSV when he encountered a pop-up advertisement claiming that he had won a signed jersey from Samuel Mbangula, who scored the winning goal. The advertisement directed him to a website where he was asked to complete a CAPTCHA. However, the ad turned out to be fraudulent.

Following this interaction, our SIEM triggered alerts related to:

• Defense Evasion

• Persistence

The alerts were generated on February 17, 2025, at approximately 15:00 PM Cairo Time. Unfortunately, we do not have additional detection rules in place, so you will need to work with the available data.

Additional details:

• The malicious URL contained a reference to "cat", but we do not recall the full address.

• An attempt was made to analyze the malware, but initial execution only resulted in a blank Command Prompt window, making it unclear whether it is functional or a false positive.

• A suspicious text file named "don't read me please, I will hack you if u open this text.txt" was found in the same directory. It has not been opened for security reasons, and we advise against opening it.

We need you to investigate the URL, its functionalities, and the malware behavior, then document your findings. Let us know if you require any further details.

For more information about Lumma C2: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection

Solution

First, we need to adjust the timeline to cover the period from 14:30 to 16:30, ensuring our analysis focuses on the timeframe when the incident occurred.

Next, we aim to identify the URL the victim visited to watch the match, as well as the URL to which they were redirected after clicking on the advertisement.

http OR https

I obtained 134 events, so I will refine the filters further to narrow down the results. Based on the URL above, the fake CAPTCHA instructs users to open the Windows Run window by pressing Windows + R, paste the clipboard content using CTRL + V, and press ENTER to execute it. This action triggers a command that infects the system. To investigate further, I will filter for PowerShell activity to identify any relevant events.

(http OR https) AND *powershell*

Let's refine the results further.

(http OR https) AND *powershell*  AND powershell.command.name: "Invoke-WebRequest" 

Invoke-WebRequest: is a PowerShell cmdlet used to send HTTP requests (like GET, POST, etc.) to web pages or APIs. It retrieves content, downloads files, or interacts with web services, returning response data such as status codes, headers, or content.

Here is what the attacker did:

• Downloads a file from the URL hxxps[://]files[.]catbox[.]moe/edhauf[.]zip.

• Saves it to the desktop as I am Arthur Morgan.zip.

Let's apply a filter for "I am Arthur Morgan.zip" to analyze the available data.

"I am Arthur Morgan.zip"

After downloading and renaming the ZIP file, the attacker proceeded with the following actions:

• Extracted the downloaded file to a folder named "A legitimate software" on the desktop.

• Executed a file (pretty_normal_file_x64.exe) from the extracted folder.

Now, let's filter the logs using the specified file name and Event ID 4688 to analyze the processes created by this file upon execution.

*pretty_normal_file_x64.exe* AND event.code: 4688 AND event.action: "created-process" 

Let's include the CommandLine column and sort the results from oldest to newest.

Let's break down the attacker's actions step by step.

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

• C:\Windows\system32\conhost.exe:The Console Host is responsible for managing command-line interfaces (Command Prompt, PowerShell) and displaying their output in a window.

• 0xffffffff: This is a handle (a unique identifier) passed to conhost.exe. In this case, 0xffffffff is a special value that typically means "invalid handle."

• -ForceV1: This flag forces conhost.exe to use Console API Version 1 instead of the newer Version 2, which might be done to avoid newer security features.

Set-MpPreference -DisableRealtimeMonitoring $true

• This command disables Windows Defender's real-time protection, which means that Windows Defender will no longer actively scan files and processes for malware as they are accessed or executed.

Set-MpPreference -DisableBehaviorMonitoring $true

• Turns off behavior monitoring, which watches for suspicious activities.

• Disabling behavior monitoring allows malware, privilege escalation scripts, and post-exploitation tools to run undetected.

Set-MpPreference -DisableBlockAtFirstSeen $true

• Turns off Block at First Sight, a feature that block new and unknown threats.

• Windows Defender includes a feature called "Block at First Seen" that automatically blocks files the first time they are encountered if they are suspected to be malicious, even before a signature is available.

Set-MpPreference -DisableIOAVProtection $true

• Tells Microsoft Defender Antivirus to turn off its scanning of files downloaded from the internet and email attachments. In other words, it disables the “IOAV protection” feature.

Set-MpPreference -DisablePrivacyMode $true

• This command tells Defender to turn off its “privacy mode” feature. In privacy mode, Defender may limit or mask certain details in its logs, notifications, or telemetry in order to protect sensitive information. By running

Set-MpPreference -MAPSReporting 0

• Disables Microsoft Active Protection Service (MAPS), which sends data about detected threats to Microsoft for analysis and improved protection.

Set-MpPreference -SubmitSamplesConsent 2

• Sets the sample submission consent to 2, which means "never send samples." This prevents Microsoft Defender from sending suspicious files to Microsoft for analysis.

Set-MpPreference -DisableIntrusionPreventionSystem $true

• Turns off the Intrusion Prevention System (IPS), which blocks network-based attacks.

Set-MpPreference -DisableScriptScanning $true

• Turns off script scanning, which scans scripts (e.g., PowerShell, JavaScript) for malicious code.

The attacker then created a scheduled task named "what_a_rat" that executes the program pretty_normal_file_x64.exe located in C:\Users\Public\Desktop\A legitimate software\ every time a user logs on, with the highest privileges.

To exfiltrate the victim's data, the attacker compressed the files within the Temp folder of the local user and transmitted them to a malicious website: "hxxp[://]callosallsaospz[.]shop/upload".

The path C:\Users\LOCALU~1\AppData\Local\Temp\ refers to the Temp folder for the userLOCALUSER . The Temp folder is a common location where programs store temporary files. However, attackers might target this folder to steal sensitive information.

• Downloaded files (e.g., updates, documents, or media).

• Cache files (e.g., browser cache, application cache).

• Logs or debug information.

Let's download the edhauf.zip file and extract its contents to analyze any additional data it may contain.

I have obtained the attacker's Twitter handle. Let's access their Twitter account for further investigation.

The attacker is most likely a script kiddie. He lack technical skills (inability to encrypt files) and he reveals his X/Twitter handle