Rugmi Malware

Threat actors are employing a new malware loader, identified as a Trojan named Win/TrojanDownloader.Rugmi. This threatening software consists of three distinct components: a downloader responsible for fetching an encrypted payload, a loader that executes the payload from internal resources, and another loader that runs the payload from an external file on the disk. Despite a slow start, Rugmi's detection rates have rapidly escalated over the past few months, reaching hundreds of detections per day.

Security experts indicate that Rugmi is utilized as a means to deploy various infostealers on compromised devices. Notable examples include the Lumma Stealer, Vidar, RecordBreaker (also known as Raccoon Stealer V2) and Rescoms.

Infostealers are Often Created and Then Sold in MaaS (Malware-as-a-Service) Schemes

Stealer malware is commonly marketed through a Malware-as-a-Service (MaaS) framework, offering subscription plans to other threat actors. The Lumma Stealer, for example, is promoted on underground forums at a monthly rate of $250. The highest-tier plan, priced at $20,000, provides customers with access to the source code, granting them the right to sell it.

Evidence suggests that the codebase linked to Mars, Arkei, and Vidar stealers has been repurposed to develop Lumma.

In addition to consistently adjusting its strategies to avoid detection, this off-the-shelf tool is disseminated through various means, ranging from malvertising to counterfeit browser updates and compromised installations of popular software like VLC media player and OpenAI ChatGPT.

Threat Actors could Exploit Legitimate Services and Platforms

Another method involves utilizing Discord's content delivery network (CDN) to host and disseminate malware.

This approach involves using a mix of random and compromised Discord accounts to send direct messages to potential targets. These messages entice recipients with offers of $10 or a Discord Nitro subscription in exchange for their assistance on a supposed project. Those who agree to the offer are then directed to download an executable file hosted on Discord CDN, falsely presenting itself as an iMagic Inventory but, in reality, harboring the Lumma Stealer payload.

The prevalence of ready-made malware solutions contributes to the widespread occurrence of malicious campaigns, as they make such malware accessible even to potentially less technically skilled threat actors.

Infostealer Infections may Have Severe Consequences for Victims

Infostealer infections can have severe consequences for victims due to the nature of these malicious programs designed to steal sensitive information. Here are some potential repercussions:

• Loss of Personal and Financial Information: Infostealers are specifically crafted to extract sensitive data such as login credentials, financial details, and personal information. Victims may experience unauthorized access to their bank accounts, credit cards, and online accounts, leading to financial losses and identity theft.
•  Privacy Breach: Infostealers compromise the privacy of individuals by collecting and transmitting personal data. This information can be exploited for various unsafe purposes, including targeted phishing attacks, blackmail, or the sale of personal information on the dark web.
•  Compromised Online Accounts: Collected login credentials can be utilized to gain unauthorized access to various online accounts, including email, social media and business accounts. This unauthorized access can result in the misuse of accounts, spreading malware, or conducting fraudulent activities in the victim's name.
•  Business Espionage: In the case of corporate environments, infostealers can lead to the theft of sensitive business information, intellectual property, and trade secrets. This can have drastic consequences for the affected organization, including financial losses, damage to reputation, and legal ramifications.
•  Ransomware Attacks: Infostealers are often used as a precursor to more damaging attacks, such as ransomware. Cybercriminals may use the collected information to launch targeted ransomware attacks, encrypting valuable data and demanding a ransom for its release.
•  Disruption of Services: If infostealers are used to compromise critical systems or networks, victims may experience disruptions in services. This can impact businesses, government agencies, or individuals who rely on these systems for daily operations.
•  Reputation Damage: For individuals and organizations, the disclosure of sensitive information can cause reputational damage. Trust in an individual's or company's ability to safeguard information may be eroded, impacting relationships with clients, customers or partners.

To mitigate the risks associated with infostealer infections, individuals and organizations should prioritize cybersecurity measures, including robust anti-malware software, regular software updates, employee training on cybersecurity leading practices, and the implementation of strong access controls and encryption measures.