HQ/EMEAFind out how we can help your business
The new Rugmi malware loader is also known as Win/TrojanDownloader.Rugmi is gaining notoriety among numerous hackers for its role in delivering various information stealers. Some confirmed infostealers that benefited from this new malicious tool are the Lumma Stealer, Vidar, RecordBreaker, and Rescoms.
Moreover, Rugmi is a loader that has three distinct components. The first one is a downloader that fetches an encrypted payload. The next one is a loader that runs the payload from internal resources, and the last one is a loader that runs the payload from an external file on the disk. This intricate structure of this new tool allows the malware to operate with a high degree of sophistication.
The Rugmi malware loader has increased its activities in October and November.
According to investigations, the Rugmi malware loader has surged during October and November 2023. Its daily numbers increased from single digits to hundreds. This spike indicates an alarming proliferation of this threat across various digital infrastructures.
In addition, this loader has a malware-as-a-service (MaaS) model that could facilitate the dissemination of these infostealers. For instance, Lumma Stealer became available for subscription in underground forums, starting at $250 per month and reaching up to $20,000 for premium plans that include source code access and resale rights.
Evidence also suggests that the Lumma Stealer codebase has roots in Mars, Arkei, and Vidar stealers, repurposed to generate a more robust and adaptable threat. Furthermore, Rugmi uses various distribution channels to complicate further matters, from malvertising and fake browser updates to infiltrating pirated installations of popular software, including VLC media player and OpenAI ChatGPT.
A new and concerning loader distribution technique includes using Discord’s content delivery network (CDN). Further research revealed that threat actors leverage random and compromised Discord accounts to disseminate direct messages that offer unsuspecting targets $10 or a Discord Nitro subscription in exchange for their assistance on a project.
This scheme prompts users to download an executable file hosted on Discord CDN, posing as iMagic Inventory but hiding the malicious Lumma Stealer payload. Rugmi is a highly attractive product as the threat landscape evolves due to its broad range of functions.
The emergence of Rugmi shows the evolving tactics employed by cybercriminals. Therefore, everyone should be more vigilant about this new malware to remain safe from the threats looming around the volatile landscape of cybersecurity.
