A brand new Go-based malware loader known as JinxLoader is being utilized by risk actors to ship next-stage payloads reminiscent of Formbook and its successor XLoader.
The disclosure comes from cybersecurity companies Palo Alto Networks Unit 42 and Symantec, each of which highlighted multi-step assault sequences that led to the deployment of JinxLoader by means of phishing assaults.
“The malware pays homage to League of Legends character Jinx, that includes the character on its advert poster and [command-and-control] login panel,” Symantec mentioned. “JinxLoader’s main operate is easy – loading malware.”
Unit 42 revealed in late November 2023 that the malware service was first marketed on hackforums[.]internet on April 30, 2023, for $60 a month, $120 a yr, or for a lifetime payment of $200.
The assaults start with phishing emails impersonating Abu Dhabi Nationwide Oil Firm (ADNOC), urging recipients to open password-protected RAR archive attachments that, upon opening, drop the JinxLoader executable, which subsequently acts as a gateway for Formbook or XLoader.
The event comes as ESET revealed a spike in infections, delivering one other novice loader malware household dubbed Rugmi to propagate a variety of data stealers.
It additionally comes amid a surge in campaigns distributing DarkGate and PikaBot, together with a risk actor generally known as TA544 (aka Narwal Spider) leveraging new variants of loader malware known as IDAT Loader to deploy Remcos RAT or SystemBC malware.
What’s extra, the risk actors behind the Meduza Stealer have launched an up to date model of the malware (model 2.2) on the darkish internet with expanded assist for browser-based cryptocurrency wallets and an improved bank card (CC) grabber.
In an indication that stealer malware continues to be a profitable marketplace for cybercriminals, researchers have additionally found a brand new stealer household generally known as Vortex Stealer that is able to exfiltrating browser knowledge, Discord tokens, Telegram classes, system data, and recordsdata which might be lower than 2 MB in measurement.
“Stolen data might be archived and uploaded to Gofile or Anonfiles; the malware may even publish it onto the writer’s Discord utilizing webhooks,” Symantec mentioned. “It is also able to posting to Telegram by way of a Telegram bot.”