Rugmi Malware Spread Through Fake Cracks and Discord

A novel malware loader is currently in use by threat actors for disseminating various information-stealing entities such as Lumma Stealer (also known as LummaC2), Vidar, RecordBreaker (alternatively known as Raccoon Stealer V2), and Rescoms.

Cybersecurity researchers are actively monitoring this Trojan, identifying it as Win/TrojanDownloader.Rugmi. The malware comprises three key components: a downloader responsible for fetching an encrypted payload, a loader executing the payload from internal resources, and another loader executing the payload from an external file on the disk.

According to telemetry data provided by researchers, detections for the Rugmi loader witnessed a significant surge in October and November 2023, escalating from single-digit daily instances to hundreds per day.

Stealer malware, commonly distributed through a malware-as-a-service (MaaS) model, is available for subscription to other threat actors. Lumma Stealer, for example, is advertised on underground forums at a monthly rate of $250, with the most expensive plan costing $20,000, providing customers with access to the source code and permission to sell it.

There are indications that the codebase associated with Mars, Arkei, and Vidar stealers has been repurposed to develop Lumma.

Malware Distributed Using Different Avenues

Aside from constantly adapting evasion tactics, this off-the-shelf tool is disseminated through various methods, ranging from malvertising and fake browser updates to cracked installations of popular software like VLC media player and OpenAI ChatGPT. Another method involves utilizing Discord's content delivery network (CDN) to host and propagate the malware.

This strategy involves employing a mix of random and compromised Discord accounts to send direct messages to potential targets, enticing them with offers such as $10 or a Discord Nitro subscription in exchange for assistance on a project. Users who accept the offer are prompted to download an executable file hosted on Discord CDN, disguising itself as iMagic Inventory but containing the Lumma Stealer payload.

Researchers emphasized that pre-built malware solutions contribute to the proliferation of malicious campaigns, making the malware easily accessible even to threat actors with potentially lower technical skills.

By Zaib
January 2, 2024
Computer Security
English
January 2, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

GHOSTPULSE Malware Spread Through Fake MSIX Applications

A recent cyber attack campaign has been detected, utilizing fake MSIX Windows application package files for well-known software like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex as a means to... Read more

November 1, 2023
Computer Security

HotRat Malware Spreads Through Fake Software Cracks

A fresh variant of the infamous AsyncRAT malware, named HotRat, is currently making rounds, leveraging illicit versions of popular software and utilities such as video games, image and sound editing tools, and even... Read more

July 24, 2023
Malware

OpcJacker Malware Uses Fake VPN to Spread

Since the second half of 2022, cybersecurity experts have identified a new form of malware that steals information called OpcJacker. According to researchers from Trend Micro, this malware can perform a variety of... Read more

April 4, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.