CISA Advisory for LummaC2 Malware & U.S Justice Departments Seizure of Internet Domains
CISA has released an advisory, AA25-141B for LummaC2, a malware known to exfiltrate sensitive data. Once inside a system, LummaC2 can take screenshots, access private documents, and allow hackers to maintain long-term access to compromised networks. To defend against this threat, CISA and the FBI are urging all organizations and individuals to take several key steps.
Keeping all software and operating systems updated, using strong and unique passwords with multi-factor authentication, and restricting administrative access to only those who truly need it.
Monitoring networks for unusual activity, training employees to spot phishing attempts, and backing up important data regularly are also crucial defenses.
In addition to developing a good cybersecurity posture, the FBI and CISA is encouraging organizations to monitor and detect API usage, secure network devices, push patches, and collect logs.
Background and Initial Access
LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spear phishing hyperlinks and attachments to deploy LummaC2 malware payloads.
The CISA advisory has an excellent technical breakdown which includes file execution, known domains, and high level overviews of the application programming interfaces (APIs) in use.
The following techniques were used to gain initial access through Email Phishing attempts:
- Phishing Attachments (an attachment that had a malicious payload)
- Phishing Links (Link which contained the malicious payload)
U.S Department of Justice Involvement
In a significant move to combat cybercrime, the U.S. Department of Justice has announced the seizure of five internet domains associated with the LummaC2 information-stealing malware. This coordinated effort, supported by Microsoft’s Digital Crimes Unit, aims to dismantle a global cybercriminal operation that has compromised millions of devices worldwide.
The operation involved the unsealing of two warrants authorizing the seizure of five domains used by cyber actors to operate the LummaC2 malware service. This action is part of a broader strategy to disrupt malicious cyber operations and criminal networks. The Justice Department emphasized its commitment to using its unique tools, authorities, and partnerships to protect the public from persistent cybersecurity threats.
This initiative underscores the importance of public-private partnerships in addressing cyber threats. The collaboration between the Justice Department, Microsoft, and other stakeholders highlights a unified approach to tackling cybercrime on a global scale.
“The seizure of these domains by the government will prevent the owners and cybercriminals from using the websites to access LummaC2 to compromise computers and steal victim information. Individuals who now visit the websites will see a message indicating that the site has been seized by the Justice Department, including the FBI.”
Technical Information
TLDR; LummaC2 can take screenshots, steal documents, and provide long term access to networks.
cyber@securendsolution.com
New York, USA