Share this article on:
Here’s everything you need to know about LummaC2, Rust-based stealers, SocGholish, AsyncRAT, and Oyster malware strains.
New research from US cyber security firm ReliaQuest has revealed the top five malware strains currently in circulation.
ReliaQuest looked at its own customer incident data combined with external reporting and activity on hacking forums to come up with its list.
According to ReliaQuest, these strains “warrant proactive responses from customers due to their past use, anticipated future deployment, interest on the dark web, and ability to bypass defences and execute successfully”.
Here’s what every security team should be looking out for.
LummaC2
This strain was first seen in December 2022 when it was advertised for sale on a hacking forum by a threat actor named Shamel. This is an info stealer designed to target Windows-based systems and is capable of stealing data from several web browsers.
ReliaQuest has observed over 21,000 listings on Russian-language hacking forums for LummaC2 – a 51.9 per cent increase over the previous quarter this year – with monthly subscriptions costing between US$250 and US$1,000.
LummaC2 is capable of harvesting a victim’s browsing history, cookies, personal information, usernames, passwords, and even credit card numbers.
Rust-based stealers
There are several info stealers built on the Rust programming language, such as Rusty Stealer and Fickle Stealer. Rust is popular with malware developers thanks to its execution speed, ability to evade antivirus software, and the fact that it is cross-platform, making it a versatile language for malicious coders. Rust can also incorporate C and C++ code.
According to one hacking forum member observed by ReliaQuest, “if I have to pick a substitute of C++, would definitely be Rust”. The hacker also said the language has “great low-level control”, but they did point out it has a “really steep learning curve”.
ReliaQuest has observed a nearly “3,000 per cent increase in cyber criminal forum posts discussing stealer malware written in Rust on criminal forums from 2022 to August 2024”.
These stealers are capable of cryptocurrency wallet and browser plugin details, browser credentials, and files stored on a device.
SocGholish
Also known as FakeUpdates, SocGholish is a remote access Trojan that can pose as a browser update to trick victims into downloading and installing it. It’s often hosted on what appear to be high-ranking websites, so it looks like it’s a trustworthy file.
SocGholish is the most prevalent malware observed in critical customer incidents, and has been since 2023 and into 2024, and is commonly used by an initial access broker known as Mustard Tempest, according to ReliaQuest. The broker uses the malware to gain initial access to a device and maintain persistence before selling that access to other hackers.
According to a recent report from Microsoft, the RansomHub ransomware-as-a-service operation is known to be linked to the use of SocGholish.
“The link between SocGholish and subsequent attacks from advanced financially motivated groups like RansomHub emphasises the risk posed by this malware variant,” ReliaQuest said in a blog post.
AsyncRAT
AsyncRAT, as the name suggests, is another remote access Trojan, this time capable of remote monitoring and control of infected machines via an encrypted connection. This can lead directly to the theft of data, or provide initial access for further attacks.
This malware strain is distributed by phishing emails and malicious advertising links and is capable of keylogging and remote desktop control. Despite often being marketed as an open-source project since it was first seen in 2018, AsyncRAT has also been observed “bundled” with other malware.
In one attack chain investigated by ReliaQuest, AsyncRAT was delivered via a phishing email that tricked the victim into downloading the legitimate remote access software ScreenConnect, which, in turn, downloaded an executable file called SHaBaB, which then installed AsyncRAT. This occurred despite the target device having active antivirus software and EDR protection.
Oyster
Oyster was first identified in late 2023, and is a backdoor application. The malware is delivered via fake websites that appear to be hosting legitimate software, but when a victim attempts to install the software, it executes and installs Oyster alongside the new install, compromising the system and effectively hiding its installation.
Oyster is capable of hosting remote access sessions and file transfers, as command line execution. The malware can execute further files once a device is compromised, and collect system information.
The Russian cyber crime group known as Wizard Spider – also known as Trickbot, DEV-0193, and UNC2053 – is closely linked with the development of Oyster, as well as the malware known as TrickBot (which isn’t at all confusing). TrickBot was linked to the Conti and Ryuk ransomware families.
“Given the experience of Wizard Spider, Oyster is likely to continue to be developed and used to facilitate initial access for ransomware groups,” ReliaQuest said.
“These malware variants, listed in no specific order, pose significant risks to organisations across all industries and regions.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.