Full Report
2024 had its fair share of high-profile cyber attacks, with companies as big as Dell and TicketMaster falling victim to data breaches and other infrastructure compromises. In 2025, this trend will continue. So, to be prepared for any kind of malware attack, every organization needs to know its cyber enemy in advance. Here are 5 common malware families that you can start preparing to counter
Analysis Summary
# Tool/Technique: Lumma
## Overview
Lumma is a widely available information-stealing malware, openly sold on the Dark Web since 2022. Its primary purpose is to collect and exfiltrate sensitive data from targeted applications, including login credentials, financial information, and personal details. It is regularly updated and can install other malicious software on infected devices.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Targeting Windows systems (implied by context of typical infostealers and data collection methods mentioned)
- Capabilities: Credential theft, financial data theft, personal data theft, information logging (browsing history, crypto wallet data), secondary malware deployment.
- First Seen: Since 2022
## MITRE ATT&CK Mapping
*Note: Specific TTPs were not detailed, but standard infostealer behaviors are mapped.*
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0005 - Credential Access
- T1003 - OS Credential Dumping
- TA0001 - Initial Access
- T1566 - Phishing
## Functionality
### Core Capabilities
- Collect and exfiltrate login credentials and financial information.
- Log detailed system information, including browsing history and cryptocurrency wallet data.
- Ability to install secondary malicious software.
### Advanced Features
- Regularly updated to enhance capabilities.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the text)
- File Names: N/A (Not provided in the text)
- Registry Keys: N/A (Not provided in the text)
- Network Indicators: Connection to C2 server (Details redacted/undisclosed)
- Behavioral Indicators: Collection and exfiltration of data from compromised systems.
## Associated Threat Actors
- Undisclosed (Sold publicly on Dark Web)
## Detection Methods
- Signature-based detection (Requires updated signatures based on new samples).
- Behavioral detection, particularly monitoring suspicious data collection and outbound network connections to C2 infrastructure.
- Analysis using sandboxing environments (e.g., ANY.RUN) to capture execution flow and network activities.
## Mitigation Strategies
- Proactive analysis of suspicious files and URLs within a sandbox environment prior to execution on production systems.
- Enhancing detection systems using extracted Indicators of Compromise (IOCs).
## Related Tools/Techniques
- Other information stealers tracked in 2025 predictions.
---
# Tool/Technique: XWorm
## Overview
XWorm is a Remote Access Trojan (RAT) that grants cybercriminals persistent remote control over infected computers. It is capable of extensive data harvesting and surveillance of the victim's activities.
## Technical Details
- Type: Malware family (RAT)
- Platform: Targeting Windows systems (inferred from component usage like VBS files and MSBuild.exe)
- Capabilities: Remote control, information theft (financial details, browsing history, passwords, crypto wallet data), keystroke logging, webcam/audio monitoring, network scanning, clipboard monitoring, process execution.
- First Seen: July 2022
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution (Implied by persistence mechanisms)
- TA0007 - Discovery
- T1082 - System Information Discovery
- T1049 - Account Discovery
## Functionality
### Core Capabilities
- Remote control and monitoring capabilities (keystroke logging, screen/audio capture).
- Collection of sensitive data stored on the system and from clipboard interactions.
### Advanced Features
- Uses MSBuild.exe for persistence on the system.
- Deployed via a multi-stage delivery chain often starting with password-protected archives obtained via phishing links (e.g., hosted on Google Drive).
- Exploited CloudFlare tunnels and legitimate digital certificates in 2024 attacks.
## Indicators of Compromise
- File Hashes: N/A
- File Names: .vbs script often found inside a password-protected archive.
- Registry Keys: N/A
- Network Indicators: Connection to C2 server (Details undisclosed).
- Behavioral Indicators: Leveraging MSBuild.exe to maintain presence; execution chain involving VBScript launching payload delivery.
## Associated Threat Actors
- Undisclosed threat actors, involved in large-scale attacks in 2024.
## Detection Methods
- Detection of initial access vectors: Phishing emails containing links to file-sharing services (Google Drive).
- Monitoring for script execution (VBS) attempting to establish persistence.
- Detection of suspicious use of legitimate system tools like `MSBuild.exe` for malicious purposes.
## Mitigation Strategies
- Implementing email security gateways capable of detecting and blocking links to file-sharing services hosting malicious archives.
- Monitoring for unintended execution of scripting languages and potential defense evasion techniques using legitimate binaries (e.g., MSBuild).
## Related Tools/Techniques
- Other RATs that use layered delivery mechanisms.
---
# Tool/Technique: AsyncRAT
## Overview
AsyncRAT is a versatile Remote Access Trojan (RAT) that has been in use since 2019. It has gained popularity due to its wide range of malicious capabilities and adaptability, often being distributed via spam emails leveraging current events (like COVID-19 lures) or disguised as cracked software.
## Technical Details
- Type: Malware family (RAT)
- Platform: Targeting various platforms (implied Windows based on component usage like PowerShell).
- Capabilities: Remote screen recording, keystroke logging, secondary malware installation, file theft, persistence maintenance, security software disabling, Denial of Service (DoS) attacks.
- First Seen: 2019 (initially spread via COVID-19 lures)
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059.001 - Command and Scripting Interpreter: PowerShell
- TA0005 - Credential Access
- T1056.001 - Input Capture: Keylogging
- TA0012 - Defense Evasion
- T1218 - Signed Binary Proxy Execution (Implied by sophistication)
## Functionality
### Core Capabilities
- Remote surveillance (screen recording, keylogging, audio capture).
- Data exfiltration (file stealing).
- Maintaining a persistent foothold on the system.
### Advanced Features
- Ability to disable security software.
- Capabilities for launching attacks that overwhelm targeted websites (DoS).
- Noted as one of the first malware families distributed via complex attacks involving AI-generated scripts.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Malicious executables often disguised as pirated software.
- Registry Keys: N/A
- Network Indicators: C2 connection established after initial execution.
- Behavioral Indicators: Execution chain involving PowerShell scripts downloading additional payloads; activity related to disabling security tools.
## Associated Threat Actors
- Various threat actors, using AsyncRAT in diverse campaigns.
## Detection Methods
- Monitoring for PowerShell processes initiating network connections to download subsequent files.
- Behavioral analysis detecting security control disabling attempts.
- Detection of execution chains beginning from archives containing seemingly benign executables.
## Mitigation Strategies
- Implementing strict controls over PowerShell usage, including constrained language mode.
- Enhancing endpoint protection to detect fileless malware distribution techniques often employed by RATs.
## Related Tools/Techniques
- Remcos (Another RAT mentioned in the context).
---
# Tool/Technique: Remcos
## Overview
Remcos is a form of malware initially marketed as a legitimate remote access tool but heavily used in cyberattacks since 2019. It is employed to conduct a wide array of malicious activities, including stealing sensitive information.
## Technical Details
- Type: Malware family (RAT/Infostealer)
- Platform: Undisclosed
- Capabilities: Stealing sensitive information (Implied wider RAT capabilities based on description).
- First Seen: 2019
## MITRE ATT&CK Mapping
*Mapping based on description as an infostealer/RAT.*
- TA0010 - Exfiltration
- TA0005 - Credential Access
- TA0003 - Persistence
## Functionality
### Core Capabilities
- Stealing sensitive information.
- Performing a wide range of malicious activities expected of a RAT.
### Advanced Features
- Marketed deceptively as a legitimate remote access tool.
## Indicators of Compromise
- N/A (No specific IOCs provided in the text snippet).
## Associated Threat Actors
- Undisclosed threat actors utilizing the publicly marketed tool.
## Detection Methods
- Detection based on signatures associated with the Remcos payload.
## Mitigation Strategies
- Caution regarding software marketed explicitly as "remote access tools" unless obtained from verified vendor channels.
## Related Tools/Techniques
- AsyncRAT, XWorm (Other RATs).