Rugmi Malware Loader’s Rapid Surge in Infiltration and Distribution Tactics

A novel malware loader, recognized as Win/TrojanDownloader.Rugmi by ESET, has become a tool of choice for cyber threat actors aiming to disseminate various information stealers like Lumma Stealer, Vidar, RecordBreaker, and Rescoms.

ESET’s findings reveal Rugmi as a multi-component loader, employing diverse methods to download encrypted payloads, run them from internal or external sources, and execute the malicious content. This trojan’s detection rate skyrocketed from minimal daily occurrences to several hundred detections per day in late 2023, as per telemetry data collected by the cybersecurity firm.

The nefarious market for stealers operates under a malware-as-a-service (MaaS) model, with Lumma Stealer, for instance, offered for subscription prices ranging from $250 to $20,000, granting access to source code and resale rights. Interestingly, evidence suggests Lumma’s origins stem from repurposing codebases associated with other notorious stealers like Mars, Arkei, and Vidar.

Evading detection mechanisms, Rugmi employs various distribution methods, spanning malvertising, counterfeit software updates, and even leveraging Discord’s content delivery network (CDN) to propagate its payload. The Discord strategy involves leveraging compromised accounts to entice targets with offers of $10 or a Discord Nitro subscription, convincing them to download seemingly innocent executable files hosting the Lumma Stealer payload.

ESET underlines the concerning trend where pre-made malware solutions like Lumma Stealer empower even less technically skilled threat actors, contributing to the proliferation of malicious campaigns. This accessibility, coupled with a diverse range of functionalities, makes Lumma Stealer an increasingly attractive and dangerous product in the cyber underworld.

Simultaneously, McAfee Labs disclosed a new NetSupport RAT variant, evolving from NetSupport Manager, which initial access brokers are using to gather intelligence and perform actions on targeted victims in the U.S. and Canada. The infection starts with obfuscated JavaScript files, continuing with PowerShell commands to retrieve remote control and stealers from an actor-controlled server, showcasing the dynamic tactics of cybercriminals.

Both Rugmi’s surge and the evolution of NetSupport RAT highlight the constantly evolving landscape of cyber threats, emphasizing the need for heightened vigilance and adaptive security measures in the face of sophisticated attacks.

Combatting the pervasive threat posed by the Rugmi malware loader necessitates a proactive defense strategy. Organizations can fortify their defenses by deploying comprehensive endpoint security solutions equipped to identify and neutralize diverse malware threats. Augmenting these measures with robust user education and awareness initiatives, emphasizing safe browsing practices and regular security updates, empowers employees to act as a crucial line of defense against the propagation of malware.