New Research Outlines the Top 5 Malware Strains You Should Watch Out for

New Research Outlines the Top 5 Malware Strains You Should Watch Out for

Here you will find everything you need to know about LummaC2, Rust-based stealers, SocGholish, AsyncRAT and Oyster malware strains.

New research from US cybersecurity firm ReliaQuest has revealed the top five malware strains currently in circulation.

ReliaQuest analyzed incident data from its own customers combined with external reports and activity on hacking forums to come up with its list.

According to ReliaQuest, these strains “warrant proactive customer responses due to their past use, anticipated future deployment, interest in the dark web, and ability to bypass defenses and execute successfully.”

This is what every security team should keep in mind.

LummaC2

This strain was first seen in December 2022, when a threat actor named Shamel advertised it for sale on a hacking forum. This is an information stealer designed to target Windows-based systems and is capable of stealing data from various web browsers.

ReliaQuest has seen more than 21,000 listings on Russian-language piracy forums for LummaC2 (a 51.9 percent increase from the previous quarter this year) with monthly subscriptions costing between US$250 and US$1,000.

LummaC2 is capable of collecting the victim’s browsing history, cookies, personal information, usernames, passwords, and even credit card numbers.

Rust-based thieves

There are several information stealers created in the Rust programming language, such as Rusty Stealer and Fickle Stealer. Rust is popular among malware developers thanks to its speed of execution, its ability to evade antivirus software, and the fact that it is cross-platform, making it a versatile language for malicious coders. Rust can also incorporate C and C++ code.

According to a member of the hacking forum observed by ReliaQuest, “if I have to choose a substitute for C++, it would definitely be Rust.” The hacker also said the language has “a lot of low-level control,” but noted that it has a “really steep learning curve.”

ReliaQuest has observed a nearly “3,000 percent increase in cybercriminal forum posts discussing stealing malware written in Rust on criminal forums from 2022 to August 2024.”

These crooks are able to obtain cryptocurrency wallet and browser plugin details, browser credentials, and files stored on a device.

SocGholish

Also known as FakeUpdates, SocGholish is a remote access Trojan that can impersonate a browser update to trick victims into downloading and installing it. It is often hosted on what appear to be high-ranking websites, so it appears to be a trustworthy file.

SocGholish is the most common malware seen in critical customer incidents, having been since 2023 and into 2024, and is commonly used by an initial access broker known as Mustard Tempest, according to ReliaQuest. The broker uses the malware to gain initial access to a device and maintain persistence before selling that access to other hackers.

According to a recent report from Microsoft, the RansomHub ransomware-as-a-service operation is known to be linked to the use of SocGholish.

“The link between SocGholish and subsequent attacks by financially motivated advanced groups like RansomHub emphasizes the risk posed by this malware variant,” ReliaQuest said in a blog post.

asynchronous

AsyncRAT, as its name suggests, is another remote access Trojan, this time capable of remotely monitoring and controlling infected machines via an encrypted connection. This can directly lead to data theft or provide initial access for future attacks.

This strain of malware is distributed via phishing emails and malicious advertising links and is capable of keylogging and remote desktop control. Although it is often marketed as an open source project since it was first seen in 2018, AsyncRAT has also been observed to be “bundled” with other malware.

In an attack chain investigated by ReliaQuest, AsyncRAT was delivered via a phishing email that tricked the victim into downloading legitimate ScreenConnect remote access software, which, in turn, downloaded an executable file called SHaBaB, which then installed AsyncRAT. This occurred even though the target device had active antivirus software and EDR protection.

Oyster

Oyster was first identified in late 2023 and is a backdoor app. The malware is distributed through fake websites that appear to host legitimate software, but when a victim attempts to install the software, it runs and installs Oyster along with the new installation, compromising the system and effectively hiding its installation.

Oyster is capable of hosting remote access sessions and file transfers, as command line execution. Malware can execute more files once a device is compromised and collect system information.

The Russian cybercriminal group known as Wizard Spider – also known as Trickbot, DEV-0193 and UNC2053 – is closely related to the development of Oyster, as well as the malware known as TrickBot (which is not at all confusing). TrickBot was linked to the Conti and Ryuk ransomware families.

“Given Wizard Spider’s experience, Oyster will likely continue to be developed and used to facilitate initial access to ransomware groups,” ReliaQuest said.

“These malware variants, listed in no specific order, pose significant risks to organizations across industries and regions.”

Leave a Reply

Your email address will not be published. Required fields are marked *