Microsoft dials up Uncle Sam to take down LummaC2 malware backbone

The U.S. Department of Justice teamed up with Microsoft to take down the backbone of a prolific malware operator.

The DOJ said it seized a number of domains associated with the LummaC2 malware and its underlying infrastructure. The malware was being used to steal personally identifiable information from unwitting users.

“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew Galeotti, head of the Justice Department’s Criminal Division.

“Today’s announcement demonstrates that the Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets.”

The aim, according to the DOJ, is to remove the command-and-control infrastructure from the malware operation. Rather than simply take down the public-facing sites that can be easily replaced, authorities want to hit the cybercriminals where it hurts and cripple their technical back-end.

Because LummaC2 operates on an affiliate model where cybercriminals pay to license the malware for their operations, simply removing the fraud sites themselves has little overall impact. Rather, the DOJ is trying to sever the command and control operation to take down service for all affiliates.

The seized domains operated as login and administration portals for credentialed users who had paid for the services. Without access to the portals, it is believed that the LummaC2 service and its associated malware and identity fraud operations will be rendered useless for cybercriminals. The three seized domains had all been newly launched, with administrators only informing their customers of the release on May 20.

At the same time, authorities also want to cut off the fraud and malware exploit sites themselves. This is where Microsoft enters the conversation. The Redmond software giant played its part by taking down 2,300 public-facing domains that were associated with the LummaC2 syndicate.

The FBI estimated the LummaC2 malware has been connected to roughly 1.7 million instances of fraud, including the theft of bank and financial account credentials as well as other user accounts and cryptocurrency wallets.

“The department will continue to use its unique tools, authorities, and partnerships to disrupt malicious cyber operations and criminal networks,” said Sue J. Bai, head of the Justice Department’s National Security Division. 

“Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country.”