LummaC2 Malware Masquerading as Total Commander Crack to Infect Windows Users

A recent investigation by the AhnLab Security Intelligence Center (ASEC) has uncovered a malvertising campaign that distributes LummaC2 malware disguised as a Total Commander crack. This attack method targets users searching for pirated versions of the popular file management software, exposing them to credential theft and secondary cyberattacks.

The campaign begins with a deceptive Google search result for “Total Commander Crack”, which leads users to a fraudulent download page hosted on Google Colab Drive. Clicking on the post connects to Google Colab drive and prompts the user to click the download button.

Instead of delivering a legitimate crack, users receive a double-compressed ZIP file containing a malicious RAR archive. The password-protected archive further lures users into executing an installer labeled “installer_1.05_38.2.exe”, which ultimately deploys LummaC2 malware.

LummaC2 is an infostealer malware that targets a wide range of sensitive data, including:

• Browser-stored credentials (Chrome, Firefox, Edge)
• Email and auto-login program passwords
• Cryptocurrency wallet data
• Session cookies for online services

“When a system is infected with LummaC2, sensitive information such as browser-stored account credentials, email credentials, cryptocurrency wallet credentials, and auto-login program credentials are sent to the threat actor’s C&C server,” ASEC explains.

This stolen data can be sold on dark web forums or used for further exploitation, including corporate data breaches.

The malware heavily obfuscates its payload using multiple layers of compression, including:

1. NSIS (Nullsoft Scriptable Install System)
2. AutoIt Scripting Engine
3. Batch script obfuscation techniques

The NSIS script executes an obfuscated Batch script (Nv.cmd), which manipulates system variables to evade detection.

Once executed, the malware decrypts an AutoIt-based payload that injects LummaC2 directly into system memory, bypassing antivirus detection.

Users should remain vigilant and prioritize secure software acquisition practices to protect their data and devices.

Related Posts:

• Beware the Drive-By Download: LummaC2 Stealer and Malicious Chrome Extension Wreak Havoc
• LummaC2 Malware Uses Gaming Platform as C2 Server
• LummaC2 Infostealer Malware Spreads via Crack Programs and Phishing
• Threat Actor Deploys LummaC2 and Rhadamanthys Stealers in Attacks on Taiwanese Facebook Accounts
• ClearFake Campaign Employs Novel Social Engineering Tactic to Deliver LummaC2 Infostealer