2024 had its justifiable share of high-profile cyber assaults, with corporations as large as Dell and TicketMaster falling sufferer to knowledge breaches and different infrastructure compromises. In 2025, this pattern will proceed. So, to be ready for any form of malware assault, each group must know its cyber enemy prematurely. Listed here are 5 frequent malware households which you could begin making ready to counter proper now.
Lumma
Lumma is a broadly out there malware designed to steal delicate info. It has been overtly offered on the Darkish Net since 2022. This malware can successfully accumulate and exfiltrate knowledge from focused purposes, together with login credentials, monetary info, and private particulars.
Lumma is frequently up to date to boost its capabilities. It might log detailed info from compromised methods, equivalent to searching historical past and cryptocurrency pockets knowledge. It may be used to put in different malicious software program on contaminated units. In 2024, Lumma was distributed by way of numerous strategies, together with faux CAPTCHA pages, torrents, and focused phishing emails.
Evaluation of a Lumma Assault
Proactive evaluation of suspicious information and URLs inside a sandbox surroundings can successfully enable you forestall Lumma an infection.
Let’s have a look at how you are able to do it utilizing ANY.RUN’s cloud-based sandbox. It not solely delivers definitive verdicts on malware and phishing together with actionable indicators but in addition permits real-time interplay with the menace and the system.
Check out this evaluation of a Lumma assault.
 |
| ANY.RUN permits you to manually open information and launch executables |
It begins with an archive which comprises an executable. As soon as we launch the .exe file, the sandbox mechanically logs all processes and community actions, displaying Lumma’s actions.
 |
| Suricata IDS informs us a couple of malicious connection to Lumma’s C2 server |
It connects to its command-and-control (C2) server.
 |
| Malicious course of liable for stealing knowledge from the system |
Subsequent, it begins to gather and exfiltrate knowledge from the machine.
 |
| You need to use the IOCs extracted by the sandbox to boost your detection methods |
After ending the evaluation, we will export a report on this pattern, that includes all of the necessary indicators of compromise (IOCs) and TTPs that can be utilized to complement defenses towards potential Lumma assaults in your group.
Strive all options of ANY.RUN’s Interactive Sandbox totally free with a 14-day trial
XWorm
XWorm is a computer virus that offers cybercriminals distant management over contaminated computer systems. First showing in July 2022, it might probably accumulate a variety of delicate info, together with monetary particulars, searching historical past, saved passwords, and cryptocurrency pockets knowledge.
XWorm permits attackers to observe victims’ actions by monitoring keystrokes, capturing webcam photographs, listening to audio enter, scanning community connections, and viewing open home windows. It might additionally entry and manipulate the pc’s clipboard, probably stealing cryptocurrency pockets credentials.
In 2024, XWorm was concerned in lots of large-scale assaults, together with ones that exploited CloudFlare tunnels and legit digital certificates.
Evaluation of a XWorm Assault
 |
| Phishing emails are sometimes the preliminary stage of XWorm assaults |
In this assault, we will see the unique phishing e-mail, which includes a hyperlink to a Google drive.
 |
| A Google Drive web page with a obtain hyperlink to a malicious archive |
As soon as we comply with the hyperlink, we’re supplied to obtain an archive which is protected with a password.
 |
| Opened malicious archive with a .vbs file |
The password will be discovered within the e-mail. After getting into it, we will entry a .vbs script contained in the .zip file.
 |
| XWorm makes use of MSBuild.exe to persist on the system |
As quickly as we launch the script, the sandbox immediately detects malicious actions, which finally result in the deployment of XWorm on the machine.
AsyncRAT
AsyncRAT is one other distant entry trojan on the record. First seen in 2019, it was initially unfold by way of spam emails, typically exploiting the COVID-19 pandemic as a lure. Since then, the malware has gained reputation and been utilized in numerous cyber assaults.
AsyncRAT has advanced over time to incorporate a variety of malicious capabilities. It might secretly document a sufferer’s display screen exercise, log keystrokes, set up further malware, steal information, keep a persistent presence on contaminated methods, disable safety software program, and launch assaults that overwhelm focused web sites.
In 2024, AsyncRAT remained a big menace, typically disguised as pirated software program. It was additionally one of many first malware households to be distributed as a part of complicated assaults involving scripts generated by AI.
Evaluation of an AsyncRAT Assault
 |
| The preliminary archive with an .exe file |
In this evaluation session, we will see one other archive with a malicious executable inside.
 |
| A PowerShell course of used for downloading a payload |
Detonating the file kicks off the execution chain of XWorm, which entails the usage of PowerShell scripts to fetch further information wanted to facilitate the an infection.
As soon as the evaluation is completed, the sandbox shows the ultimate verdict on the pattern.
Remcos
Remcos is a malware that has been marketed by its creators as a professional distant entry device. Since its launch in 2019, it has been utilized in quite a few assaults to carry out a variety of malicious actions, together with stealing delicate info, remotely controlling the system, recording keystrokes, capturing display screen exercise, and so on.
In 2024, campaigns to distribute Remcos used methods like script-based assaults, which regularly begin with a VBScript that launches a PowerShell script to deploy the malware, and exploited vulnerabilities like CVE-2017-11882 by leveraging malicious XML information.
Evaluation of a Remcos Assault
 |
| Phishing e-mail opened in ANY.RUN’s Interactive Sandbox |
In this instance, we’re met with one other phishing e-mail that includes a .zip attachment and a password for it.
 |
| cmd course of used through the an infection chain |
The ultimate payload leverages Command Immediate and Home windows system processes to load and execute Remcos.
 |
| MITRE ATT&CK matrix gives a complete view of the malware’s methods |
The ANY.RUN sandbox maps the complete chain of assault to the MITRE ATT&CK matrix for comfort.
LockBit
LockBit is a ransomware primarily concentrating on Home windows units. It’s thought-about one of many greatest ransomware threats, accounting for a considerable portion of all Ransomware-as-a-Service (RaaS) assaults. The decentralized nature of the LockBit group has allowed it to compromise quite a few high-profile organizations worldwide, together with the UK’s Royal Mail and India’s Nationwide Aerospace Laboratories (in 2024).
Regulation enforcement businesses have taken steps to fight the LockBit group, resulting in the arrest of a number of builders and companions. Regardless of these efforts, the group continues to function, with plans to launch a brand new model, LockBit 4.0, in 2025.
Evaluation of a LockBit Assault
 |
| LockBit ransomware launched within the secure surroundings of the ANY.RUN sandbox |
Try this sandbox session, displaying how briskly LockBit infects and encrypts information on a system.
 |
| ANY.RUN’s Interactive Sandbox permits you to see static evaluation of each modified file on the system |
By monitoring file system modifications, we will see it modified 300 information in lower than a minute.
 |
| Ransom notice tells victims to contact attackers |
The malware additionally drops a ransom notice, detailing the directions for getting the information again.
Enhance Your Proactive Safety with ANY.RUN’s Interactive Sandbox
Analyzing cyber threats proactively as an alternative of reacting to them as soon as they develop into an issue on your group is the perfect plan of action any enterprise can take. Simplify it with ANY.RUN’s Interactive sandbox by inspecting all suspicious information and URLs inside a secure digital surroundings that helps you establish malicious content material with ease.
With the ANY.RUN sandbox, your organization can:
- Swiftly detect and ensure dangerous information and hyperlinks throughout scheduled checks.
- Examine how malware operates on a deeper stage to disclose its ways and methods.
- Reply to safety incidents extra successfully by gathering necessary menace insights by way of sandbox evaluation.
Strive all options of ANY.RUN with a 14-day free trial.
