Three malicious threats capable of stealing data and funds have been identified and analysed in-depth in Kaspersky’s latest crimeware report: the GoPIX stealer that targets the PIX payment system, the Lumar multipurpose stealer, and the Rhysida ransomware.
As financially-motivated cyberthreats continue to grow, experts are urging users to be on alert.
GoPIX, a malicious campaign operational since December 2022, focuses on Brazil’s widely-used PIX payment system. Its strategy begins when users search for “WhatsApp web” and are redirected through deceptive ads. Utilising IP Quality Score’s anti-fraud tool to distinguish real users from bots, GoPIX presents two download options based on the status of port 27275, linked to Avast Safe Banking software. The malware, designed to steal and manipulate transaction data, offers the flexibility of executing different stages and responding to commands from a command-and-control server (C2).
Lumar, an emerging multipurpose stealer introduced in July 2023 by a user named “Collector,” showcases impressive capabilities including capturing Telegram sessions, harvesting passwords, cookies, autofill data, retrieving files from users’ desktops, and extracting data from various cryptographic wallets. Lumar’s compact size, attributed to C coding, doesn’t compromise its functionality. Once executed, Lumar gathers system information and user data, sending it to the C2. The malware’s efficient data collection is facilitated by the use of three separate threads. The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data.
Rhysida, a newcomer to the ransomware scene, was detected through Kaspersky’s telemetry data in May, and operates as a Ransomware-as-a-Service (RaaS). It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design. While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group’s rapid adaptation and learning curve.
“With financially-focused cyberthreats on the rise, our commitment to protecting digital ecosystems remains steadfast,” says Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT. “We closely track the evolving cyberthreat landscape, crafting security solutions to proactively thwart attacks. To ensure safety, we strongly encourage adopting a robust cybersecurity strategy that efficiently mitigates these threats.”