/*
 *  LummaC2 carrier (MultiCommander MultiUpdate disguise) — structural rule
 *
 *  Companion to the Versus Security blog post:
 *    "Lumma Stealer's .reloc trick"
 *    https://versus.security/blog/lumma-stealer-reloc-trick.html
 *
 *  Author     : Bruno Schmid (CSIRT Versus Security)
 *  Date       : 2025-02-14
 *  Reference  : SHA256 eff51f995cd6463cd9b3a2ea4a14cc85e3cc5c1b5b71db6d90765b3df175abba
 *  TLP        : CLEAR
 *
 *  Targets the artefact's structural fingerprint rather than the Lumma payload's
 *  obfuscated UTF-16 strings — survives operator string-shuffling and matches
 *  the delivery stage (where Embee Research's win_lumma_w1 fails because of
 *  its `filesize < 5000KB` gate).
 */

import "pe"
import "math"

rule LummaC2_MultiUpdate_Carrier_2024
{
    meta:
        author        = "CSIRT Versus Security (B. Schmid)"
        date          = "2025-02-14"
        description   = "Lumma carrier disguised as MultiCommander MultiUpdate.exe with encrypted payload in .reloc trailer"
        sample_sha256 = "eff51f995cd6463cd9b3a2ea4a14cc85e3cc5c1b5b71db6d90765b3df175abba"
        reference     = "https://versus.security/blog/lumma-stealer-reloc-trick.html"
        tlp           = "CLEAR"

    strings:
        $pdb        = "MultiCommander\\BuildOutput\\Output\\Win32\\Release v143\\MultiUpdate\\MultiUpdate.pdb" ascii
        $manifest_a = "name=\"Microsoft.Windows.AutoUpdate\""    ascii
        $manifest_d = "<description>MultiUpdate</description>"    ascii
        $multi_url  = "Multi Commander-http://multicommander.com/updates/version.xml" wide

    condition:
        uint16(0) == 0x5a4d
        and pe.is_pe
        and $pdb
        and ($manifest_a or $manifest_d or $multi_url)
        and for any sec in pe.sections : (
            sec.name == ".reloc"
            and sec.raw_data_size > (pe.data_directories[5].size + 0x4000)
            and math.entropy(sec.raw_data_offset, sec.raw_data_size) > 7.0
        )
}