ReliaQuest: Watch Out for Info-Stealers and RATs
Threat actors are gravitating toward info-stealing malware like LummaC2 and remote access trojans (RATs) SocGholish and AsyncRat due to the high success in previous campaigns of infiltrating victims’ systems and exfiltrating data and their ability to bypass standard security protections like antivirus software, according to ReliaQuest.
The malware were among the five variants in the second quarter that the security operations platform maker said enterprises to keep on a particular lookout for, according to Hayden Evans, cyber threat intelligence researcher with ReliaQuest.
“The ReliaQuest Threat Research team analyzed customer incident data, external industry reporting, and cybercriminal forums to identify the most pressing malware threats that warrant proactive responses from customers due to their past use, anticipated future deployment, interest on the dark web, and ability to bypass defenses and execute successfully,” Evans wrote in a blog post. “These malware variants … pose significant risks to organizations across all industries and regions.”
Others on the list were the growing numbers of info-stealers – such as Fickle Stealer and Rusty Stealer – being written in the Rust programming language. Cybercriminals in recent years have been moving away from C and C++ – languages that they’ve typically used – to newer ones like Rust, Go, and Python, which cybersecurity teams might be less familiar with and that can better get around security software.
Malware Gets Rusty
“Rust is increasingly becoming adversaries’ programming language of choice because of its fast execution speed, cross-platform capabilities, and antivirus evasion,” Evans wrote. “Discussions about the most effective malware programming languages on online cybercriminal forums indicated that users prefer Rust for its ability to incorporate C and C++ code and for being difficult to reverse engineer.”
He added noted a 2,953% increase from the start of 2022 to this month in the number of posts on cybercriminal forums discussing Rust-based stealer malware.
In Q2, ReliaQuest saw a number of incidents of organizations hit by Rust-based malware. In June, researchers detected a new Rust-based malware called Fickle Stealer being distributed via multiple avenues, including a phishing attack using Microsoft documents containing malicious macros. Fickle Stealer exfiltrates information about cryptocurrency wallets and browser plugins as well as saved browser credentials and files, which then is put up for sell on the dark web for use in future attacks.
LummaC2 and SocGholish Info-Stealers
LummaC2 is the latest iteration of the Lumma malware that was first advertised on dark web forums in late 2022 and targets Windows systems and also can steal data from multiple types of browsers. It illuminates the business side of cybercrime, available to bad actors via subscriptions that range from $250 to $1,000 a month. It can steal information from up to 60 cryptocurrency wallets and sensitive user information, including browsing history, cookies, personally identifiable information (PII), usernames, passwords, and credit card numbers, Evans wrote.
It’s popular due to its high success rate of going undetected while infiltrating systems and stealing data, its intuitive user interface for bad actors with various skill levels, and its ability to bypass Windows Defenders and similar security tools.
LummaC2 “uses unconventional distribution tactics (such as via trojanized software and fake updates) that effectively bypass standard security measures,” he wrote. “Adversaries can use credentials harvested using LummaC2 to gain initial access to target systems or sell them on online marketplaces like Russian Market.”
ReliaQuest found more than 21,000 Russian Market listings involving LummaC2 between April and July, a 51.9% increase from the first quarter and 71.7% year-over-year jump. The researchers found multiple incidents in April and May of LummaC2 attacks.
The SocGholish RAT poses as a browser update to entice users to download and execute it, with the threat actors targeting “high-ranking websites to inject SocGholish, making these infected sites appear trustworthy in search results,” Evans wrote, adding that “SocGholish has been the most frequently observed malware in critical customer incidents throughout 2023 and remains the most prevalent into 2024.”
If SocGholish, which is operated by initial access broker Mustard Tempest, gets into an enterprise’s network, it can result in data breaches and disruptions in operations. One a network is compromised, Mustard Tempest sells the access to other threat actors, who will deploy ransomware or other threats in follow-on attacks.
Widely Available AsyncRAT
AsyncRAT, which has been around since 2018, was the third-most prevalent malware in ReliaQuest customer incidents in Q2 behind LummaC2 and SocGholish, he wrote. It includes such functions as remote desktop control and keylogging and uses process injection tactics to avoid detection. It’s distributed phishing and malvertising, among other methods.
“Due to the widespread availability of AsyncRAT and its preferred status among financially motivated threat actors, this malware is frequently employed in opportunistic attacks, with no specific preference for target industry or location,” Evans wrote, adding that researchers observed it being used in attacks in June and July, including in some cases along with SocGholish.
Oyster Linked to TrickBot Operator
Oyster – also known as Broomstick and CleanUpLoader – is a backdoor delivered via fake websites that appear to host legitimate software. If executed, the victim’s device is compromised and connects to the threat actor’s command-and-control (C2) server.
“By installing legitimate-appearing software, Oyster is reducing the likelihood of detection early in the attack chain, thereby increasing its chances of successfully persisting on a system using PowerShell,” he wrote. “Oyster can enable remote sessions and support tasks like file transfer and command-line processing. Oyster can also collect system information and run additional files post-compromise.”
Oyster is linked to Wizard Spider, a Russia-linked group that is responsible for the well-known TrickBot malware, a banking trojan that was used to distribute ransomware like Conti and Ryuk before the operation was distributed by law enforcement in early 2022.