Lummac Stealer Activity - Execution Of More.com And Vbc.exe

About the rule

Rule Type

Standard

Rule Description

Lummac Stealer is an infostealer malware that steals sensitive information such as login credentials, passwords, emails, and cookies from a wide range of applications. This stealer leverages the Windows More Utility (more.com) to launch the Visual Basic Command Line Compiler (vbc.exe) to inject the Lummac code and install the stealer software to the system. This rule detects such code injections and activities associated with the Lummac Stealer.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Privilege Escalation → Process Injection → Data exfiltration

Impact

• System compromise
• Suspicious process creation
• Data theft

Rule Requirement

Prerequisites

• Windows Event Viewer

Logon to Group Policy Management Console with administrative privileges and enable auditing for process creation and termination events. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

• Sysmon

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

(((( PROCESSNAME ENDS_WITH ""\\vbc.exe"" ) ) OR ((ORIGINALFILENAME = ""vbc.exe"" ))) AND ((( PARENTPROCESSNAME ENDS_WITH ""\\more.com"" ) )))

This rule is triggered when the executed process is associated with the following suspicious elements:

• \\vbc.exe or vbc.exe: Refers to the process or file associated with the Visual Basic .NET Command-Line Compiler used to compile visual basic code to executables.
• more.com: A non essential Windows process or file associated with More Utility used to spawn vbc.exe for malicious activities.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Process Injection (T1055); Privilege Escalation: Process Injection (T1055)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.

When this rule is triggered, you're notified of the execution of the Lummac Stealer malware. This enables you to identify malicious process creations in the system and detect attempts of data exfiltration in the network.

Author

Joseliyo Sanchez, @Joseliyo_Jstnk

Future actions

Known False Positives

This rule might be triggered during legitimate process executions involving more.com and vbc.exe.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. System process audit: Continuously monitor system processes and file executions to detect suspicious process creations and malware executions.

Mitigation