Key Points
- Widely used by adversaries, infostealers harvest sensitive information that is later sold on criminal marketplaces for threat actors looking to gain initial access. LummaC2 is the most popular infostealer, while those written in Rust are increasingly common.
- Remote access malware is often installed after users unwittingly download software. Malware like SocGholish and AsyncRAT remain prevalent for gaining access and stealing information.
- By implementing the recommendations and GreyMatter Automated Response Plays, organizations can protect themselves from these threats in the fastest possible manner.
This report examines five malware variants that have recently impacted the threat landscape or may do so in the near future: “LummaC2,” Rust-based stealers, “SocGholish,” “AsyncRAT,” and “Oyster.” The ReliaQuest Threat Research team analyzed customer incident data, external industry reporting, and cybercriminal forums to identify the most pressing malware threats that warrant proactive responses from customers due to their past use, anticipated future deployment, interest on the dark web, and ability to bypass defenses and execute successfully. These malware variants, listed in no specific order, pose significant risks to organizations across all industries and regions. For each, we provide background intelligence, assess recent activity and impact, and recommend effective mitigation techniques.
LummaC2
First advertised on cybercriminal forums in December 2022 by a vendor known as Shamel, LummaC2 (aka Lumma, Lumma Stealer, LummaC) is an information-stealing malware (infostealer) that affects Windows operating systems and can obtain data from multiple browser types. LummaC2 subscription prices range from $250 to $1,000 monthly, with additional features available, depending on the chosen plan. LummaC2, which builds on its predecessor “LummaC,” can exfiltrate information from up to 60 cryptocurrency wallets and steal sensitive user information like browsing history, cookies, personally identifiable information (PII), usernames, passwords, and credit card numbers. ReliaQuest research shows that LummaC2 is consistently popular among threat actors due to its high success rate in infiltrating systems and exfiltrating sensitive data undetected. It also has an intuitive user interface that caters to various skill levels, can bypass commonly used antivirus software like Windows Defender, and uses unconventional distribution tactics (such as via trojanized software and fake updates) that effectively bypass standard security measures. Adversaries can use credentials harvested using LummaC2 to gain initial access to target systems or sell them on online marketplaces like Russian Market.
Figure 1: Forum post highlighting a LummaC2 update featuring its Windows Defender bypass capability
Recent Activity
We observed a significant recent increase in LummaC2 activity: GreyMatter Digital Risk Protection (DRP) detected more than 21,000 Russian Market listings involving LummaC2 between April and July 2024, marking a 51.9% increase from Q1 2024 and a 71.7% increase from Q2 2023. LummaC2’s increased popularity likely sources from the stealer’s proven reliability and its continuous updates, which have generated positive reviews from forum members and increased market demand. One forum member raved: “I use the product. The success rate is really pleasing, the most important thing is that the admin is online and communicates with everyone, no ignoring on his part. [The admin] does any assignment – this is the most important thing in the product, its support! Working $. The product is constantly improving, currently the best stealer on the market! [translated from Russian]” (see Figure 2).
Figure 2: Forum user praises the reliability of and customer service for LummaC2
In addition to the growth in LummaC2-related listings, we identified a May 2024 campaign from the JavaScript framework “ClearFake” that disguised itself as a fake update and used innovative execution techniques to trick users into manually copying and executing malicious PowerShell code, leading to the deployment of LummaC2. The unusual execution technique bypasses several detections and security controls, including those for malicious file downloads, mark-of-the-web signatures, and suspicious parent-child process relationships. It is highly likely that LummaC2 will continue to be used in campaigns with new techniques to allow for greater success of installation and exfiltration of sensitive data.
In April 2024, security researchers identified the threat actor “CoralRaider” using LummaC2 to harvest credentials and financial data from victims in multiple regions, including the US, the UK, Africa, South America, and Asia. CoralRaider targets users via phishing emails containing ZIP archives with shortcut files that trigger multi-stage infections, leading to the deployment of LummaC2. CoralRaider’s attacks are opportunistic, targeting organizations across various sectors to increase the chances of successfully installing LummaC2. The attack leveraged PowerShell and batch scripts that, when executed, install LummaC2 and lead to the compromise of sensitive information.
In May 2024, reports detailed threat actors using fake websites mimicking the antivirus software Avast, Malwarebytes, and Bitdefender to distribute various infostealers, including LummaC2. malwarebytes[.]pro delivered LummaC2 through a ZIP archive file, enabling attackers to obtain sensitive information to later sell on criminal markets.
Multiple other infostealers, such as “Raccoon,” “Vidar,” and “RisePro” are readily available to threat actors. However, adversaries likely prefer LummaC2 because of its reliability, regular updates, and vendor support, as reflected in the multiple recent campaigns involving this stealer. Organizations should treat the infostealer threat with high priority, since compromised credentials are often sold on criminal marketplaces and used by other attackers for initial access and data theft.
Recommendations
- To prevent LummaC2 from compromising saved passwords, restrict users from storing passwords in web browsers. Begin by opening the Group Policy Management Editor. Navigate to “User Configuration,” then to “Policies,” and proceed to “Administrative Templates.” Select the specific web browser you wish to configure and disable the option to save passwords in the password manager and autofill settings.
- Restrict employees from using personal devices for work, if possible. If personal devices—which are unlikely to have the same level of protection and detections in place—are compromised by an infostealer, any credentials used for professional work may be exfiltrated. This leaves an organization at risk of unauthorized access, perhaps the first step in a serious incident like a ransomware infection.
Rust-based Stealers
Several infostealer variants identified in 2024, including “Fickle Stealer” (see below) and “Rusty Stealer,” use the Rust programming language. Released in 2015, Rust is a compiled language that creates executable files (.exe) that can bypass antivirus software and be used to exfiltrate compromised credentials. Rust is increasingly becoming adversaries’ programming language of choice because of its fast execution speed, cross-platform capabilities, and antivirus evasion. Discussions about the most effective malware programming languages on online cybercriminal forums indicated that users prefer Rust for its ability to incorporate C and C++ code and for being difficult to reverse engineer. One forum member declared: “if I have to pick a substitute of C++, would definitely be Rust.” They claimed Rust has “great low level control” but has a “really steep learning curve.”
Recent Activity
We observed infostealers developed in Rust across the threat landscape in Q2 2024. In April 2024, ReliaQuest addressed incidents involving separate customers who were affected by malware being distributed from the domains “slationo[.]com” and “shothix[.]com.” The users downloaded a file named DownloadSetup.exe that masqueraded as legitimate software to view live stream videos. The malware executed and added itself to the Windows Startup folder for persistence, which would execute the malware again if a system shutdown or restart occurred. The DownloadSetup.exe file contained several strings or a sequence of characters indicating it was compiled with Rust, including “rustc,” “string.rs,” “function.rs,” and “rust_panic.” Crucially, although the hosts had antivirus and endpoint detection and response (EDR) tools installed, the malware executed freely and was not blocked. ReliaQuest analysts used GreyMatter Respond to contain the threat, isolating infected hosts and blocking malicious IP addresses, URLs, and hash values. GreyMatter Respond facilitated remediation efforts such as revoking active sessions and resetting the credentials of compromised user accounts.
In June 2024, security researchers reported that a new Rust-based malware, known as Fickle Stealer, was being distributed through multiple attack vectors. One method involved a phishing attack using Microsoft documents containing malicious macros (commands embedded in Microsoft documents) that execute Visual Basic Application (VBA) code. Fickle Stealer first installs and executes a PowerShell script named bypass.ps1 that bypasses UAC to install and execute the stealer payload. The stealer first checks if it is present in a sandbox and deletes itself if this is the case. Continuing its execution, the malware exfiltrates cryptocurrency wallet information, browser plugin information, saved browser credentials, and files. As with LummaC2, this information is then sold on criminal forums for use in follow-on attacks.
These latest incidents align with an increase in cybercriminal forum posts discussing stealer malware written in Rust on criminal forums: an increase of 2,953% from the start of 2022 to August 2024. Defenders must be aware of the increasing use of Rust-based malware—a trend that is highly likely to continue in the mid-term future (between three months and one year)—and the associated executable files that can bypass signature-based detections.
Figure 3: Forum user advertises Rust-based infostealer for sale
Recommendations
- Fickle Stealer uses PowerShell to check if it is being analyzed in a sandbox and to bypass UACs. We therefore recommend enforcing AppLocker rules to only execute PowerShell scripts to specific paths and users. Additionally, set UAC to the strictest option, requiring administrator approval. This requires the input of administrator credentials which halts the execution of malware.
- In Group Policy, set “VBA Macro Notification Settings” to “Disable All Without Notification.” This will prevent users from allowing documents to run that are downloaded from external websites or received in emails that may contain malicious macros. For users that rely on macros, this can be set to “Require macros to be signed by a trusted publisher.”
SocGholish
SocGholish (aka “FakeUpdates”) is a remote access trojan (RAT) that disguises itself as a fake browser update, deceiving users into downloading and executing it. Adversaries target high-ranking websites to inject SocGholish, making these infected sites appear trustworthy in search results. As a result, users are less likely to suspect malicious intent when prompted with the fake update. SocGholish has been the most frequently observed malware in critical customer incidents throughout 2023 and remains the most prevalent into 2024. It poses a significant risk if it infiltrates an organization’s network, potentially leading to data breaches and operational disruptions. SocGholish is operated by the initial access broker “Mustard Tempest.” Once the malware successfully compromises a host, Mustard Tempest is known to sell this access to other threat actors, who conduct high impact follow-on attacks, such as deploying ransomware to conduct extortion.
Recent Activity
A new SocGholish infection chain—previously identified by ReliaQuest—that leverages Python to establish persistence has continued into Q2 2024. Upon execution of the fake browser patch file “update.js,” Python is downloaded onto the host and a scheduled task is created to connect to the attacker’s infrastructure every five minutes. Using Python is likely a response to organizations becoming more aware of the risks associated with unrestricted executable files (.exe) and PowerShell use, leading them to implement corresponding mitigations. This adaptation showcases threat actors’ continued focus on developing SocGholish to evade detection and maintain persistence.
In July 2024, security researchers reported that SocGholish was being used to provide initial access to victims for “RansomHub,” a ransomware-as-a-service (RaaS) group that recruits affiliates. In our report “Ransomware and Cyber Extortion in Q2 2024,” we highlighted RansomHub as one of the fastest-growing ransomware groups and forecasted that its activity would continue to accelerate throughout the rest of 2024. The link between SocGholish and subsequent attacks from advanced financially motivated groups like RansomHub emphasizes the risk posed by this malware variant.
Recommendations
- Implement a group policy that opens JavaScript files (.js) with Notepad. This will prevent the execution of downloaded JavaScript files that are distributed as SocGholish.
- Set Windows Defender Application Control (WDAC) to the strictest level possible. This sets PowerShell to run in constrained language mode, reducing the available commands that are commonly abused by SocGholish.
- Enforce application control to block applications unnecessary for users’ responsibilities. Limiting the use of PowerShell and Python can decrease the likelihood of successful execution and establishment of persistence.
AsyncRat
Active since 2018, AsyncRAT is a sophisticated RAT designed to facilitate remote monitoring and control of computers through a secure, encrypted connection. Following SocGholish and LummaC2, AsyncRAT is the third most prevalent malware in critical customer incidents in Q2 2024: Its ability to facilitate the theft of sensitive information and provide access for follow-on attacks makes it a significant threat. AsyncRAT offers a range of functionalities, including keylogging and remote desktop control, and conducts process injection to evade detection. AsyncRAT is distributed through various methods, including phishing and malicious advertising (malvertising). AsyncRAT is widely shared on criminal forums as an “open-source project” with a stable, secure connection and is sometimes bundled with, and sold alongside, other malicious tools. Due to the widespread availability of AsyncRAT and its preferred status among financially motivated threat actors, this malware is frequently employed in opportunistic attacks, with no specific preference for target industry or location.
Recent Activity
In June 2024, ReliaQuest responded to a customer incident involving a new infection chain designed to deliver AsyncRAT. The attack began with a phishing email that, when clicked, unknowingly led the user to download the remote access software ScreenConnect. This software then automatically connected to the attacker’s infrastructure to download the file “SHabaB.exe,” which subsequently installed AsyncRAT. Notably, the malware executed successfully and established persistence even though antivirus and EDR tools were installed on the host. This incident illustrates attackers’ preference for using AsyncRAT and their ongoing efforts to develop the malware further, to evade being detected and blocked by security tools.
In July 2024, security researchers observed AsyncRAT being installed following initial SocGholish infections. This behavior, observed in previous years and continuing into 2024, involves SocGholish checking if the host is part of an active directory domain upon execution. If the host is part of a domain, SocGholish continues its execution. If the system is not part of a domain, SocGholish downloads AsyncRAT for command-and-control (C2). Inadequate measures to detect and block AsyncRAT can enable attackers to remotely access compromised devices and steal sensitive information, such as credentials. Even if a device is not part of a domain, attackers can still perform lateral movement using various techniques, which can ultimately jeopardize the security of the active directory domain. Due to the open-source nature of AsyncRAT and its previous use in conjunction with other malware or tools, it will likely continue to be developed and incorporated into increasingly damaging campaigns.
Recommendations
- Block email attachment types commonly used in phishing emails to deliver AsyncRAT, including .html, .one, .xlsm, .xltm, .xlsb, .docm, .dotm, .pptm, .potm, .ppam, .zip, .exe, .scr, .wsf, .pif, .cpl, .jar, and .vbs. AsyncRAT commonly uses malicious email attachments to gain initial access.
- Create a group policy or AppLocker rule to prevent unprivileged users from executing batch files (.bat), PowerShell scripts, and remote access tools. These Windows-native scripting languages and remote access tools are commonly used by AsyncRAT for installation.
Oyster
First identified in September 2023, Oyster (aka “Broomstick,” “CleanUpLoader”) is a backdoor malware delivered by fake websites purporting to host legitimate software. When a user executes what they believe to be safe software, their device is compromised and connects to the adversary’s C2 server. By installing legitimate-appearing software, Oyster is reducing the likelihood of detection early in the attack chain, thereby increasing its chances of successfully persisting on a system using PowerShell. Oyster can enable remote sessions and support tasks like file transfer and command-line processing. Oyster can also collect system information and run additional files post-compromise.
Oyster is associated with the Russia-linked threat group “Wizard Spider,” which is also responsible for the “TrickBot” malware. TrickBot was a highly sophisticated banking trojan used distribute ransomware, including “Ryuk” and “Conti,” until its servers were shut down by law enforcement in February 2022. Given the experience of Wizard Spider, Oyster is likely to continue to be developed and used to facilitate initial access for ransomware groups.
Recent Activity
The increasing prevalence of Oyster in cybersecurity reports in 2024, including its first appearance in ReliaQuest critical incidents during Q2 2024, highlights its growing popularity. This suggests that it will become more widespread in the mid-term future (between three months and one year).
In June 2024, security researchers identified a new malvertising campaign involving Oyster being distributed as a fake Microsoft Teams installer via typo-squatted domains. The same month, ReliaQuest responded to a critical customer security incident that led to hands-on-keyboard adversary access that was part of the same campaign. The following attack steps occurred:
1. A user attempting to download Microsoft Teams navigated to “micrsoft-teams-download[.]com” (see Figure 4 below). The user was then redirected to “prodfindfeatures[.]com” and downloaded the file “MSTeamsSetup_c_l_.exe” that had a valid code signing certificate.
Figure 4: Fake Microsoft Teams download page
2. Upon executing the file “MSTeamsSetup_c_l_.exe,” the legitimate version of Microsoft Teams was installed to deceive the user. Concurrently, the below RunDLL32 command was executed to launch the Oyster malware DLL file “CleanUp30.dll” and a scheduled task was created to launch the same file every three hours.
- exe C:\Users\<redacted>\AppData\Local\Temp\CleanUp30.dll,Test
3. C2 was established with HTTP to the domain “supfoundrysettlers[.]us” by the file “CleanUp30.dll.”
4. The file “getresult.exe” was then downloaded to the host and executed. This file accessed the host’s web browser information, including saved credentials, history, bookmarks, and login data.
5. The PowerShell script “krb.ps1” was downloaded and an attempt was made to execute it, but this was blocked. The script was intended to conduct kerberoasting, a technique designed to obtain hash values for service accounts, which can then be cracked.
6. The files “Green.exe” and “gtx.exe” were downloaded and executed to establish C2 connection to the IP address “195.85.114[.]193” over ports 4288, 4043, and 777.
7. Finally, commands intended to gather information of the compromised host and domain environment were executed, including “whoami.exe,” “net1 group ‘domain computers’ /domain,” “nltest.exe /domain_trusts,” and “ tasklist.exe.”
Although the end goal of this incident is not known, based on the sophistication of Wizard Spider’s previous attacks, it is highly likely that the objective was to gain access to financial assets, exfiltrate data, and then encrypt data for extortion. This Oyster campaign demonstrates an ongoing trend among threat actors for impersonating legitimate domains and software to spread malicious payloads. It also shows how persistent threat actors can be—if the infrastructure for one malware is lost, developing new malware will be high on their agenda. Finally, this campaign serves as a reminder for users to double check domains at all stages of their web browsing, particularly when downloading files or entering sensitive information.
Recommendations
- To prevent users visiting typo-squatted domains used in Oyster campaigns, implement a DNS filtering service to detect and block such domains from users’ web browsing activity. Typo-squatting involves the creation of malicious websites with addresses that are similar to legitimate ones, often relying on common typing errors made by users. By employing a DNS filtering service, you can prevent users from inadvertently visiting these harmful sites. This protective measure helps to mitigate the risk of downloading malware and other malicious payloads, such as Oyster.
- The Oyster loader executes directly from the temp folder (\Local\Temp\) using an executable file (.exe) and a dynamic link library file (.dll). If feasible for your business, adding a restriction to block file execution from the temp folder can prevent Oyster and other malware from running, as this path is frequently exploited. However, this restriction might mean that it is not possible to install legitimate software, when there is a business need to do so, if it uses the same path as the frequently exploited one.
Recommended GreyMatter Respond Plays
By implementing the following GreyMatter Respond plays as part of your incident response plan, ReliaQuest can help expedite and automate your response to a potential malware infection.
For the fastest remediation, GreyMatter Automated Response Plays (ARP) can be enabled to contain threats automatically. Enabling ARPs will significantly improve your Mean Time to Contain, ensuring threats are remediated promptly, and the potential for damage and ongoing compromise is limited. Alternatively, we recommend setting GreyMatter Respond plays to “RQ Approved,” allowing our analyst team to perform remediation on your behalf, speeding up remediation. Note that some response plays, such as “Isolate Host,” can be set to require a phone call for approval to ensure business operations are not disrupted.
Enabling the GreyMatter Respond play “Isolate Host”—after assessing whether legitimate user activities and business critical processes will be affected—will contain the infected system. In all malware deployments, attackers need to connect to their C2 infrastructure. This action severs any such connections and stops the attacker executing follow-on commands or downloading more malicious files. By enabling execution of the “Block IP,” “Block Domain,” and “Block URL” plays on identified attacker infrastructure, hosts are prevented from downloading malware and cannot connect to C2 infrastructure. This also serves as a good alternative if the “Isolate Host” play cannot be performed, e.g. if the host is a critical asset for business operations. Given that most malware variants, including infostealers, aim to access sensitive information, organizations should assume that an affected user’s credentials are compromised. Enabling the automated “Terminate Active Sessions” and “Reset Password” plays as a precaution will ensure that any sessions hijacked by an attacker will be terminated and any compromised user credentials will be rotated to prevent further compromise. Lastly, we recommend enabling the “Block Hash” play to block any identified malicious files and prevent their execution. Doing so will prevent further compromise and will limit the amount of sensitive data that can be stolen by threat actors.