A new malware loader is remaining employed by threat actors to supply a extensive assortment of information stealers this sort of as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.
Cybersecurity company ESET is monitoring the trojan beneath the title Win/TrojanDownloader.Rugmi.
“This malware is a loader with 3 varieties of components: a downloader that downloads an encrypted payload, a loader that runs the payload from inside sources, and an additional loader that operates the payload from an external file on the disk,” the organization stated in its Risk Report H2 2023.
Telemetry facts collected by the company displays that detections for the Rugmi loader spiked in October and November 2023, surging from one digit day by day quantities to hundreds for every working day.
Forthcoming WEBINAR From Person to ADMIN: Understand How Hackers Acquire Entire Regulate
Find the magic formula practices hackers use to turn into admins, how to detect and block it in advance of it can be too late. Register for our webinar nowadays.
Be part of Now
Stealer malware is normally offered underneath a malware-as-a-service (MaaS) product to other danger actors on a subscription foundation. Lumma Stealer, for instance, is advertised in underground discussion boards for $250 a month. The most high-priced plan fees $20,000, but it also gives the prospects access to the source code and the suitable to sell it.
There is proof to counsel that the codebase connected with Mars, Arkei, and Vidar stealers has been repurposed to build Lumma.
Aside from repeatedly adapting its practices to evade detection, the off-the-shelf resource is dispersed through a assortment of solutions ranging from malvertising to fake browser updates to cracked installations of well known software these as VLC media player and OpenAI ChatGPT.
Yet another method concerns the use of Discord’s material shipping network (CDN) to host and propagate the malware, as revealed by Development Micro in October 2023.
This involves leveraging a mix of random and compromised Discord accounts to send out direct messages to prospective targets, providing them $10 or a Discord Nitro membership in trade for their help on a undertaking.
Buyers who concur to the supply are then urged to obtain an executable file hosted on Discord CDN that masquerades as iMagic Stock but, in actuality, contains the Lumma Stealer payload.
“Completely ready-produced malware methods lead to the proliferation of destructive campaigns due to the fact they make the malware out there even to probably significantly less technically skilled threat actors,” ESET said.
“Offering a broader variety of capabilities then serves to render Lumma Stealer even far more desirable as a merchandise.”
The disclosures appear as McAfee Labs disclosed a new variant of NetSupport RAT, which emerged from its respectable progenitor NetSupport Manager and has due to the fact been put to use by initial accessibility brokers to assemble facts and carry out more steps on victims of fascination.
Uncovered this write-up attention-grabbing? Abide by us on Twitter and LinkedIn to read extra unique content we write-up.
Some parts of this report are sourced from: