The latest version of the LummaC2 malware-as-a-service includes a new anti-sandbox maneuver — version 4.0 knows trigonometry and can use it to track mouse movements to detect when a human user is active on a compromised computer.
Sandboxing lets cybersecurity defenders run untrusted applications in an isolated environment, where its behavior can be tracked safely away from the rest of the network. By only deploying when a human is active, the LummaC2 infostealer avoids spilling its secrets to threat hunters in a sandbox, by only detonating when operating on a human-controlled computer, where it can actually gain a foothold in the network.
LummaC2 v4.0 continuously tracks and maps the placement of the machine’s cursor at five distinct points, until the cursor positions differ widely enough to show human movement, a new report on the development from Outpost 24 explained.
“After checking that all five captured cursor positions meet the requirements, LummaC2 v4.0 uses trigonometry to detect ‘human’ behavior,” the report said. “If it does not detect this human-like behavior, it will start the process all over again from the beginning.“
LummaC2 4.0 is constantly being updated with new features, the report added, including recent improvements to its obfuscation techniques, as well as updates to its control panel.
These incremental upgrades being rolled out by malware developers is a good example of the endless game of “chicken” being played by cybercriminals and defenders, according to a statement from Andrew Barratt, vice president at Coalfire.
“Sandbox detection is a relatively common malware concept these days,” Barratt said. “Sandbox-based analysts will now have to ensure they’re emulating mouse activity based on actual patterns or that just follows the tracking requirements.”
Although the trigonometry angle is interesting, Amelia Buck agrees the new mathed-up malware won’t likely be a huge problem for security teams to protect against.
“The impact will be limited since the current method to counter anti-sandbox measures is likely to be effective against this technique as well,” Buck said in a statement. “It’s worth noting that the use of trigonometry in this technique adds an interesting element.”