Jump to content

Sign Up!

To avoid falling victim to scammers when making deals with sellers on the DWM (DarkWebMarket) platform, use the official Escrow Service.

telegram @Dwmguarantor

Telegram communication!

You can also contact the guarantor in Telegram

Malware

  • entries
    2
  • comments
    4
  • views
    320

Contributors to this blog

Lumma stealer uses trigonometry to evade detection


LummaMalware

94 views

The Lumma malware, which steals information from its victims' systems, employs a unique tactic for evading detection. It measures mouse movements using trigonometry to determine if it's operating on a real machine or a sandbox.

Lumma (also known as LummaC2) is an infostealer available through subscription, priced between $250 and $1000. This malware can extract data from browsers and applications on Windows 7-11, including passwords, cookies, credit card information, and cryptocurrency wallet details. This malware family first appeared on hacker forums in December 2022 and quickly gained popularity within the hacking community.

According to a recent report by Outpost24 analysts, the latest version, Lumma 4.0, has undergone significant changes in its evasion and automatic analysis techniques.

In addition to obfuscation, XOR encryption of strings, support for dynamic configuration files, and mandatory encryption in all builds, the malware monitors mouse movements to discern whether a real person is using the computer.

To achieve this, Lumma tracks cursor positions using the GetCursor() function, recording five different positions at 50-millisecond intervals (P0, P1, P2, P3, P4)

image17-Unveiling-LummaC2-stealer.webp

Then trigonometry comes into play: the malware treats the collected position data as vectors, calculating the angles and magnitudes formed by the movements.

image18-Unveiling-LummaC2-steale.jpg

If the angles between the vectors are less than 45 degrees, Lumma assumes that the movements are not programmatically emulated and continues its operation. However, if the angles are 45 degrees or greater, the malware terminates all malicious activities but continues to monitor mouse movements until it detects human-like actions.

angles.jpg

Researchers believe that the 45-degree angle is an arbitrary value chosen by the malware developers based on empirical data or analysis of automated analysis tools.

Another interesting feature of Lumma is its use of a crypter to protect the malware executable from leaks. The malware automatically checks for a specific value in the executable file to determine if it is encrypted, and issues a warning if it is not.

2 Comments


Recommended Comments

9 hours ago, haplin09 said:

LummaC2’s customization options are killer. I’ve optimized it to rake in serious cash

By using trigonometry to analyze mouse movements via the GetCursor() function, it cleverly differentiates between real users and sandboxes. Its ability to avoid detection through XOR encryption, dynamic configs, and continuous mouse tracking showcases its sophisticated approach.

Link to comment
FreeCurrencyRates.com

icon

TOR LINK

DWM

The user regularly conducts transactions through the service guarantor and has positive trading statistics on the site. Most likely he can be trusted and work directly. With the rules of work through the guarantor you can familiarize yourself here. CLICK
The user has not conducted a single transaction through the guarantor. You can read about the rules of working through a guarantor here. CLICK
The user has made a security deposit on the forum. He is a verified seller and guaranteed to conduct all transactions through the guarantee service. You can read more about the deposit system here. CLICK
The user has no security deposit on the forum, when working with him do not send prepayments and always involve the guarantor in transactions. You can read more about the deposit system here. CLICK
The user's status is "UNVERIFIED" indicating that he has not verified his account on the Darknet. You can pass verification by providing positive reviews and recommendations about yourself. You can read more about how to check patency. CLICK.
The user status "VERIFIED" indicates that the seller has been verified by the Forum Administration. You can read more about how to pass the verification here. CLICK.

×
  • Create New...