LummaC2 Malware Deploys New Trigonometry-Based Anti-Sandbox Technique

The stealer malware known as LummaC2 (aka Lumma Stealer) now features a new anti-sandbox technique that leverages the mathematical principle of trigonometry to evade detection and exfiltrate valuable information from infected hosts.

The method is designed to “delay detonation of the sample until human mouse activity is detected,” Outpost24 security researcher Alberto Marín said in a technical report shared with The Hacker News.

Written in the C programming language, LummaC2 has been sold in underground forums since December 2022. The malware has since received iterative updates that make it harder to analyze via control flow flattening and even allow it to deliver additional payloads.

The current version of LummaC2 (v4.0) also requires its customers to use a crypter as an added concealing mechanism, not to mention prevent it from being leaked in its raw form.

Another noteworthy update is the reliance on trigonometry to detect human behavior on the infiltrated endpoint.

“This technique takes into consideration different positions of the cursor in a short interval to detect human activity, effectively preventing detonation in most analysis systems that do not emulate mouse movements realistically,” Marín said.

To do so, it extracts the current cursor position for five times after a predefined sleep interval of 50 milliseconds, and checks if every captured position is different from its preceding one. The process is repeated indefinitely until all consecutive cursor positions differ.

Once all the five cursor positions (P0, P1, P2, P3, and P4) meet the requirements, LummaC2 treats them as Euclidean vectors and calculates the angle that’s formed between two consecutive vectors (P01-P12, P12-P23, and P23-P34).

“If all the calculated angles are lower than 45º, then LummaC2 v4.0 considers it has detected ‘human’ mouse behavior and continues with its execution,” Marín said.

“However, if any of the calculated angles is bigger than 45º, the malware will start the process all over again by ensuring there is mouse movement in a 300-millisecond period and capturing again 5 new cursor positions to process.”

The development comes amid the emergence of new strains of information stealers and remote access trojans such as BbyStealer, Trap Stealer, Predator AI, Epsilon Stealer, Nova Sentinel, and Sayler RAT that are designed to extract a wide range of sensitive data from compromised systems.

Predator AI, an actively maintained project, is also notable for the fact that it can be used to attack many popular cloud services such as AWS, PayPal, Razorpay, and Twilio, in addition to incorporating a ChatGPT API to “make the tool easier to use,” SentinelOne noted earlier this month.

“The malware-as-a-service (MaaS) model, and its readily available scheme, remains to be the preferred method for emerging threat actors to carry out complex and lucrative cyberattacks,” Marín said.

“Information theft is a significant focus within the realm of MaaS, [and] represents a considerable threat that can lead to substantial financial losses for both organizations and individuals.”