Kaspersky crimeware report reveals new Rhysida ransomware, Lumar stealer and GoPIX banking malware

Woburn, MA -- October 23, 2023 -- Kaspersky has identified three new malicious threats capable of stealing data and funds in the company's latest crimeware report. The GoPIX stealer targets the PIX payment system, while the Lumar multipurpose stealer can capture Telegram sessions, and the Rhysida ransomware can target pre-Windows 10 users.

Rhysida, a newcomer to the ransomware scene, was detected through Kaspersky's telemetry data in May, and operates as a Ransomware-as-a-Service (RaaS). It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design. While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group's rapid adaptation and learning curve.

Lumar, an emerging multipurpose stealer introduced in July 2023 by a user named "Collector," showcases impressive capabilities, including capturing Telegram sessions, harvesting passwords, cookies, autofill data, retrieving files from users' desktops, and extracting data from various cryptographic wallets. Lumar's compact size, attributed to C coding, doesn't compromise its functionality. Once executed, Lumar gathers system information and user data, sending it to the C2. The malware's efficient data collection is facilitated by the use of three separate threads. The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data.

GoPIX, a malicious campaign operational since December 2022, focuses on Brazil's widely-used PIX payment system. Its strategy begins when users search for "WhatsApp web" and are redirected through deceptive ads. Utilizing IP Quality Score's anti-fraud tool to distinguish real users from bots, GoPIX presents two download options based on the status of port 27275, linked to Avast Safe Banking software. The malware, designed to steal and manipulate transaction data, offers the flexibility of executing different stages and responding to commands from a command-and-control server (C2).

“With financially-focused cyber threats on the rise, our commitment to protecting digital ecosystems remains steadfast,” said Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT. “We closely track the evolving cyber threat landscape, crafting security solutions to proactively thwart attacks. To ensure safety, we strongly encourage adopting a robust cybersecurity strategy that efficiently mitigates these threats.”

To read the full report, please visit Securelist.com.

In order to prevent financially-motivated threats, Kaspersky recommends:

• Set up offline backups of your data that intruders cannot tamper with. Make sure you can quickly access them in an emergency when needed.
• Install ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits, and is compatible with pre- installed security solutions.
• Use a protection solution for endpoints and mail servers with anti-phishing capabilities, to decrease the chance of infection through a phishing email.
• Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
• Ransomware is a criminal offense. If you become a victim, never pay the ransom. It won’t guarantee you get your data back but will encourage criminals to continue their business. Instead, report the incident to your local law enforcement agency. Try to find a decryptor on the internet – you will find some available at NoMoreRansom.org

 

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Media Contact

Sawyer Van Horn

sawyer.vanhorn@Kaspersky.com

(781) 503-1866