Three malicious threats capable of stealing data and funds have been identified and analysed in-depth in Kaspersky’s latest crimeware report: the GoPIX stealer that targets the PIX payment system, the Lumar multipurpose stealer, and the Rhysida ransomware.
GoPIX, a malicious campaign operational since December 2022, focuses on Brazil’s widely used PIX payment system. Its strategy begins when users search for “WhatsApp web” and are redirected through deceptive ads. Utilising IP Quality Score’s anti-fraud tool to distinguish real users from bots, GoPIX presents two download options based on the status of port 27275, linked to Avast Safe Banking software. The malware, designed to steal and manipulate transaction data, offers the flexibility of executing different stages and responding to commands from a command-and-control server (C2).
Lumar, an emerging multipurpose stealer introduced in July 2023 by a user named “Collector,” showcases impressive capabilities, including capturing Telegram sessions, harvesting password cookies, auto-filling data, retrieving files from users’ desktops, and extracting data from various cryptographic wallets. Lumar’s compact size, attributed to C coding, doesn’t compromise its functionality. Once executed, Lumar gathers system information and user data, sending it to the C2. The malware’s efficient data collection is facilitated by using three separate threads. The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data.
Rhysida, a newcomer to the ransomware scene, was detected through Kaspersky’s telemetry data in May and operated as a Ransomware-as-a-Service (RaaS). It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design. While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group’s rapid adaptation and learning curve.
“With financially focused cyber threats on the rise, our commitment to protecting digital ecosystems remains steadfast. We closely track the evolving cyber threat landscape, crafting security solutions to thwart attacks proactively. To ensure safety, we strongly encourage adopting a robust cybersecurity strategy that efficiently mitigates these threats,” comments Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT.
To prevent financially-motivated threats, Kaspersky recommends:
- Set up offline backups of your data that intruders cannot tamper with. Make sure you can quickly access them in an emergency when needed.
- Install ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Businesses that shields computers and servers from ransomware and other types of malware, prevents exploits, and is compatible with pre-installed security solutions.
- Use a protection solution for endpoints and mail servers with anti-phishing capabilities to decrease the chance of infection through a phishing email.
- Conduct a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
- Ransomware is a criminal offence. If you become a victim, never pay the ransom. It won’t guarantee you get your data back, but will encourage criminals to continue their business. Instead, report the incident to your local law enforcement agency. Try to find a decryptor online – you will find some available at NoMoreRansom.org.