Rugmi Malware Spread Through Fake Cracks and Discord
A novel malware loader is currently in use by threat actors for disseminating various information-stealing entities such as Lumma Stealer (also known as LummaC2), Vidar, RecordBreaker (alternatively known as Raccoon Stealer V2), and Rescoms.
Cybersecurity researchers are actively monitoring this Trojan, identifying it as Win/TrojanDownloader.Rugmi. The malware comprises three key components: a downloader responsible for fetching an encrypted payload, a loader executing the payload from internal resources, and another loader executing the payload from an external file on the disk.
According to telemetry data provided by researchers, detections for the Rugmi loader witnessed a significant surge in October and November 2023, escalating from single-digit daily instances to hundreds per day.
Stealer malware, commonly distributed through a malware-as-a-service (MaaS) model, is available for subscription to other threat actors. Lumma Stealer, for example, is advertised on underground forums at a monthly rate of $250, with the most expensive plan costing $20,000, providing customers with access to the source code and permission to sell it.
There are indications that the codebase associated with Mars, Arkei, and Vidar stealers has been repurposed to develop Lumma.
Malware Distributed Using Different Avenues
Aside from constantly adapting evasion tactics, this off-the-shelf tool is disseminated through various methods, ranging from malvertising and fake browser updates to cracked installations of popular software like VLC media player and OpenAI ChatGPT. Another method involves utilizing Discord's content delivery network (CDN) to host and propagate the malware.
This strategy involves employing a mix of random and compromised Discord accounts to send direct messages to potential targets, enticing them with offers such as $10 or a Discord Nitro subscription in exchange for assistance on a project. Users who accept the offer are prompted to download an executable file hosted on Discord CDN, disguising itself as iMagic Inventory but containing the Lumma Stealer payload.
Researchers emphasized that pre-built malware solutions contribute to the proliferation of malicious campaigns, making the malware easily accessible even to threat actors with potentially lower technical skills.