Skip to content

Lumma C2 installing malicious Chrome extension to steal financial data

  • by
  • 3 min read

A new cyber attack exploits a sophisticated delivery chain that distributes LummaC2 stealer malware and a nefarious Chrome extension designed to intercept and manipulate sensitive financial data and browser activity.

The attack began with a drive-by download that delivered a ZIP archive named ‘x64~x32~installer___.zip.’ This archive contained an MSI installer that, upon execution, contacted the command and control (C2) server at get-license2[.]com to retrieve a password.

This password was crucial for extracting a malicious DLL file, rnp.dll, from a second archive named ‘nijboq.rar.’

The legitimate executable ‘rnpkeys.exe,’ associated with the RNP library — widely used for cryptographic operations in tools like Thunderbird — was abused to load the malicious ‘rnp.dll’ through a DLL side-loading technique.

Researchers observed that this method exploits the trusted nature of ‘rnpkeys.exe’ to mask the malicious payload.

Once loaded, the ‘rnp.dll’ file executed a series of steps to install the LummaC2 stealer. The PowerShell script embedded in the malware used base64 encoding to retrieve an additional payload, ‘02074.bs64,’ from the C2 server at two-root[.]com. This payload was then decrypted through a two-round XOR operation.

Malicious Chrome extension. | Source: Esentire

Subsequently, the malware installed a malicious Chrome extension masquerading as ‘Save to Google Drive.’ This extension is designed to intercept and manipulate financial transactions, including managing balances and withdrawals from services like Facebook, Coinbase, and Google Play.

It also gathers comprehensive device information and user data, including hardware specs and browser cookies.

The extension’s functionality extends to monitoring and manipulating browser behaviours. It can dynamically inject and alter web content, targeting popular email platforms such as Outlook, Gmail, and Yahoo Mail.

The extension significantly increases data theft risks by interfering with email content and potentially capturing sensitive information like two-factor authentication codes.

As researchers observed, the extension’s ‘proxy.js’ script converts compromised browsers into HTTP proxies, allowing attackers to browse the web as if they were the victims.

The screenshot feature. | Source: Esentire

It also captures screenshots of the current browser tab, which are then sent to the C2 server.

Researchers observed that communication with the C2 servers is sophisticated and involves Base58-decoded URLs extracted from blockchain and mempool data. Attackers have designed the C2 infrastructure to handle data in JSON format, obfuscating their activities.

Organisations are advised to update their operating systems to the latest version and also deploy endpoint security measures.

In the News: YouTube unveils AI detection tools to safeguard content creators

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>