Tracking LummaC2 Infrastructure with Cats
Last week, the US Department of Justice (DOJ) announced the disruption of the LummaC2 infostealing-malware. This was achieved through sweeping domain seizures in coordination with Microsoft, which resulted in the takedown of over 2,300 domains associated with LummaC2 operations.
The FBI and CISA also released a joint advisory detailing LummaC2’s known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), including 114 domains observed deploying the malware. These domains have several commonalities including registration patterns and landing pages that reveal additional connected infrastructure. Pivoting on those common patterns can help organizations proactively defend against potential future LummaC2 activity.
Domain Registration Patterns
One of the registration patterns among the 114 domains is the usage of individual, Eastern European names for the Registrant Organization, Registrant, and Contact Name. Some of these names appear to reference prominent Russian figures such as athletes, mobsters, fashion designers, and actors.
To read the complete article see: