Three malicious threats capable of stealing data and funds have been identified and analysed in-depth in Kaspersky’s latest crimeware report: the GoPIX stealer that targets the PIX payment system, the Lumar multipurpose stealer, and the Rhysida ransomware. As financially-motivated cyber threats continue to grow, experts are urging users to be on alert.

GoPIX, a malicious campaign operational since December 2022, focuses on Brazil's widely-used PIX payment system. Its strategy begins when users search for "WhatsApp web" and are redirected through deceptive ads. Utilising IP Quality Score's anti-fraud tool to distinguish real users from bots, GoPIX presents two download options based on the status of port 27275, linked to Avast Safe Banking software. The malware, designed to steal and manipulate transaction data, offers the flexibility of executing different stages and responding to commands from a command-and-control server (C2).

Lumar, an emerging multipurpose stealer introduced in July 2023 by a user named "Collector," showcases impressive capabilities, including capturing Telegram sessions, harvesting passwords, cookies, autofill data, retrieving files from users' desktops, and extracting data from various cryptographic wallets. Lumar's compact size, attributed to C coding, doesn't compromise its functionality. Once executed, Lumar gathers system information and user data, sending it to the C2. The malware's efficient data collection is facilitated by the use of three separate threads. The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data.

Rhysida, a newcomer to the ransomware scene, was detected through Kaspersky's telemetry data in May, and operates as a Ransomware-as-a-Service (RaaS). It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design. While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group's rapid adaptation and learning curve.

“With financially-focused cyber threats on the rise, our commitment to protecting digital ecosystems remains steadfast. We closely track the evolving cyber threat landscape, crafting security solutions to proactively thwart attacks. To ensure safety, we strongly encourage adopting a robust cybersecurity strategy that efficiently mitigates these threats,” comments Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT.

To read the full report, please visit Securelist.com.

In order to prevent financially-motivated threats, Kaspersky recommends:

  • Set up offline backups of your data that intruders cannot tamper with. Make sure you can quickly access them in an emergency when needed.
  • Install ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits, and is compatible with pre- installed security solutions.
  • Use a protection solution for endpoints and mail servers with anti-phishing capabilities, to decrease the chance of infection through a phishing email.
  • Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
  • Ransomware is a criminal offense. If you become a victim, never pay the ransom. It won’t guarantee you get your data back but will encourage criminals to continue their business. Instead, report the incident to your local law enforcement agency. Try to find a decryptor on the Internet – you will find some available at NoMoreRansom.org.