Skip to main content

Banking malware, a stealer, and new ransomware strain: Kaspersky’s crimeware report

24 October 2023

Three malicious threats capable of stealing data and funds have been identified and analyzed in-depth in Kaspersky’s latest crimeware report. The GoPIX stealer that targets the PIX payment system, the Lumar multipurpose stealer, and the Rhysida ransomware. As financially-motivated cyber threats continue to grow, experts are urging users to remain vigilant.

GoPIX, a malicious campaign operational since December 2022, focuses on Brazil's widely-used PIX payment system. Its strategy begins when users search for "WhatsApp web" and are redirected through deceptive ads. Utilizing IP Quality Score's anti-fraud tool to distinguish real users from bots, GoPIX presents two download options based on the status of port 27275, linked to Avast Safe Banking software. The malware, designed to steal and manipulate transaction data, offers the flexibility of executing different stages and responding to commands from a command-and-control server (C2).

Lumar, an emerging multipurpose stealer introduced in July 2023 by a user named "Collector," showcases impressive capabilities, including capturing Telegram sessions, harvesting passwords, cookies, autofill data, retrieving files from users' desktops, and extracting data from various cryptographic wallets. Lumar's compact size, attributed to C coding, doesn't compromise its functionality. Once executed, Lumar gathers system information and user data, sending it to the C2. The malware's efficient data collection is facilitated by the use of three separate threads. The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data.

Rhysida, a newcomer to the ransomware scene, was detected through Kaspersky's telemetry data in May, and operates as a Ransomware-as-a-Service (RaaS). It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design. While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group's rapid adaptation and learning curve.

“With financially-focused cyber threats on the rise, our commitment to protecting digital ecosystems remains steadfast. We closely track the evolving cyber threat landscape, crafting security solutions to proactively thwart attacks. To ensure safety, we strongly encourage adopting a robust cybersecurity strategy that efficiently mitigates these threats,” comments Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT.

To read the full report, please visit Securelist.com

In order to prevent financially-motivated threats, Kaspersky recommends:

  • Set up offline backups of your data that intruders cannot tamper with. Make sure you can quickly access them in an emergency when needed.
  • Install ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits, and is compatible with pre- installed security solutions. 
  • Use a protection solution for endpoints and mail servers with anti-phishing capabilities, to decrease the chance of infection through a phishing email.
  • Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
  • Ransomware is a criminal offense. If you become a victim, never pay the ransom. It won’t guarantee you get your data back but will encourage criminals to continue their business. Instead, report the incident to your local law enforcement agency. Try to find a decryptor on the internet – you will find some available at NoMoreRansom.org

Banking malware, a stealer, and new ransomware strain: Kaspersky’s crimeware report

Three malicious threats capable of stealing data and funds have been identified and analyzed in-depth in Kaspersky’s latest crimeware report. The GoPIX stealer that targets the PIX payment system, the Lumar multipurpose stealer, and the Rhysida ransomware. As financially-motivated cyber threats continue to grow, experts are urging users to remain vigilant.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases