November 20, 2023 at 09:42AM
The Lumma information-stealing malware is using a unique method to avoid detection. It measures mouse movements using trigonometry to determine if it is operating on an actual machine or in an antivirus sandbox. This version of the malware also includes control flow obfuscation, XOR encrypted strings, and other evasion techniques to make analysis more difficult. It is available for purchase on cybercrime forums and is popular in the underground hacking community. The malware now requires the use of a crypter to protect it from leaking. Overall, it demonstrates a strong effort to evade analysis and understanding.
Summary:
The Lumma information-stealing malware has implemented new tactics to evade detection by security software. One notable technique is the use of trigonometry to determine if the malware is running on a real machine or an antivirus sandbox. By analyzing mouse movement using Euclidean vectors, the malware can distinguish between human behavior and software emulation. If the calculated vector angles are below 45 degrees, the malware continues execution; otherwise, it halts malicious behavior but continues monitoring. The choice of a 45-degree threshold is arbitrary and likely based on empirical data or research. The Lumma stealer also incorporates a crypter to protect the malware executable from non-paying hackers and threat analysts. Additionally, the latest version of Lumma introduces multiple layers of protective measures, including control flow flattening obfuscation, XOR encrypted strings, dynamic configuration files, and obfuscation techniques like opaque predicates and injected dead code, to confound analysis and understanding of its mechanisms.