LummaC2 malware, also known as Lumma Stealer has recently been updated with a sophisticated anti-sandbox technique that utilizes trigonometry principles to evade detection and extract critical information from compromised systems.

Outpost24 security researcher Alberto Marín has detailed this method in a technical report. The technique is engineered to postpone the activation of the malware until it detects human mouse activity, thereby evading automated analysis systems.

LummaC2, developed in C programming language and available on underground forums since December 2022, has undergone several updates to enhance its evasion capabilities. These updates include control flow flattening and the ability to deliver additional payloads. The latest version, LummaC2 v4.0, mandates the use of a crypter for its customers, serving as an additional layer of concealment and to prevent raw form leakage.

A significant update in LummaC2 is its reliance on trigonometry to discern human behavior at the infiltrated endpoint. This involves tracking cursor positions at brief intervals to ascertain human activity, thereby avoiding detection in systems that do not realistically emulate mouse movements. The process involves capturing the cursor position five times following a 50-millisecond sleep interval and ensuring each position differs from the previous one. LummaC2 then treats these positions as Euclidean vectors and calculates the angles formed between consecutive vectors. If all angles are below 45 degrees, the malware proceeds, assuming human behavior is detected. Otherwise, it restarts the process.

This development is particularly notable in the context of the rising prevalence of information stealers and remote access trojans such as BbyStealer, Trap Stealer, Predator AI, Epsilon Stealer, Nova Sentinel, and Sayler RAT. These malicious tools are designed to extract a wide array of sensitive data from compromised systems, presenting a significant threat to cybersecurity.