2024 had its fair proportion of high-profile cyber assaults, with firms as huge as Dell and TicketMaster falling sufferer to knowledge breaches and different infrastructure compromises. In 2025, this pattern will proceed. So, to be ready for any form of malware assault, each group must know its cyber enemy upfront. Listed below are 5 frequent malware households that you could begin getting ready to counter proper now.
Lumma
Lumma is a broadly out there malware designed to steal delicate data. It has been brazenly offered on the Darkish Net since 2022. This malware can successfully accumulate and exfiltrate knowledge from focused functions, together with login credentials, monetary data, and private particulars.
Lumma is often up to date to boost its capabilities. It could log detailed data from compromised methods, resembling looking historical past and cryptocurrency pockets knowledge. It may be used to put in different malicious software program on contaminated units. In 2024, Lumma was distributed by way of numerous strategies, together with faux CAPTCHA pages, torrents, and focused phishing emails.
Evaluation of a Lumma Assault
Proactive evaluation of suspicious information and URLs inside a sandbox surroundings can successfully show you how to stop Lumma an infection.
Let’s examine how you are able to do it utilizing ANY.RUN’s cloud-based sandbox. It not solely delivers definitive verdicts on malware and phishing together with actionable indicators but in addition permits real-time interplay with the menace and the system.
Check out this evaluation of a Lumma assault.
 |
| ANY.RUN helps you to manually open information and launch executables |
It begins with an archive which accommodates an executable. As soon as we launch the .exe file, the sandbox robotically logs all processes and community actions, exhibiting Lumma’s actions.
 |
| Suricata IDS informs us a couple of malicious connection to Lumma’s C2 server |
It connects to its command-and-control (C2) server.
 |
| Malicious course of liable for stealing knowledge from the system |
Subsequent, it begins to gather and exfiltrate knowledge from the machine.
 |
| You need to use the IOCs extracted by the sandbox to boost your detection methods |
After ending the evaluation, we are able to export a report on this pattern, that includes all of the essential indicators of compromise (IOCs) and TTPs that can be utilized to complement defenses towards attainable Lumma assaults in your group.
Strive all options of ANY.RUN’s Interactive Sandbox without cost with a 14-day trial
XWorm
XWorm is a trojan horse that provides cybercriminals distant management over contaminated computer systems. First showing in July 2022, it could accumulate a variety of delicate data, together with monetary particulars, looking historical past, saved passwords, and cryptocurrency pockets knowledge.
XWorm permits attackers to watch victims’ actions by monitoring keystrokes, capturing webcam photographs, listening to audio enter, scanning community connections, and viewing open home windows. It could additionally entry and manipulate the pc’s clipboard, doubtlessly stealing cryptocurrency pockets credentials.
In 2024, XWorm was concerned in lots of large-scale assaults, together with ones that exploited CloudFlare tunnels and bonafide digital certificates.
Evaluation of a XWorm Assault
 |
| Phishing emails are sometimes the preliminary stage of XWorm assaults |
In this assault, we are able to see the unique phishing e mail, which encompasses a hyperlink to a Google drive.
 |
| A Google Drive web page with a obtain hyperlink to a malicious archive |
As soon as we comply with the hyperlink, we’re provided to obtain an archive which is protected with a password.
 |
| Opened malicious archive with a .vbs file |
The password might be discovered within the e mail. After getting into it, we are able to entry a .vbs script contained in the .zip file.
 |
| XWorm makes use of MSBuild.exe to persist on the system |
As quickly as we launch the script, the sandbox immediately detects malicious actions, which ultimately result in the deployment of XWorm on the machine.
AsyncRAT
AsyncRAT is one other distant entry trojan on the listing. First seen in 2019, it was initially unfold by way of spam emails, usually exploiting the COVID-19 pandemic as a lure. Since then, the malware has gained reputation and been utilized in numerous cyber assaults.
AsyncRAT has advanced over time to incorporate a variety of malicious capabilities. It could secretly file a sufferer’s display exercise, log keystrokes, set up extra malware, steal information, keep a persistent presence on contaminated methods, disable safety software program, and launch assaults that overwhelm focused web sites.
In 2024, AsyncRAT remained a major menace, usually disguised as pirated software program. It was additionally one of many first malware households to be distributed as a part of advanced assaults involving scripts generated by AI.
Evaluation of an AsyncRAT Assault
 |
| The preliminary archive with an .exe file |
In this evaluation session, we are able to see one other archive with a malicious executable inside.
 |
| A PowerShell course of used for downloading a payload |
Detonating the file kicks off the execution chain of XWorm, which includes the usage of PowerShell scripts to fetch extra information wanted to facilitate the an infection.
As soon as the evaluation is completed, the sandbox shows the ultimate verdict on the pattern.
Remcos
Remcos is a malware that has been marketed by its creators as a authentic distant entry device. Since its launch in 2019, it has been utilized in quite a few assaults to carry out a variety of malicious actions, together with stealing delicate data, remotely controlling the system, recording keystrokes, capturing display exercise, and many others.
In 2024, campaigns to distribute Remcos used methods like script-based assaults, which regularly begin with a VBScript that launches a PowerShell script to deploy the malware, and exploited vulnerabilities like CVE-2017-11882 by leveraging malicious XML information.
Evaluation of a Remcos Assault
 |
| Phishing e mail opened in ANY.RUN’s Interactive Sandbox |
In this instance, we’re met with one other phishing e mail that encompasses a .zip attachment and a password for it.
 |
| cmd course of used through the an infection chain |
The ultimate payload leverages Command Immediate and Home windows system processes to load and execute Remcos.
 |
| MITRE ATT&CK matrix offers a complete view of the malware’s methods |
The ANY.RUN sandbox maps your complete chain of assault to the MITRE ATT&CK matrix for comfort.
LockBit
LockBit is a ransomware primarily focusing on Home windows units. It’s thought of one of many greatest ransomware threats, accounting for a considerable portion of all Ransomware-as-a-Service (RaaS) assaults. The decentralized nature of the LockBit group has allowed it to compromise quite a few high-profile organizations worldwide, together with the UK’s Royal Mail and India’s Nationwide Aerospace Laboratories (in 2024).
Regulation enforcement companies have taken steps to fight the LockBit group, resulting in the arrest of a number of builders and companions. Regardless of these efforts, the group continues to function, with plans to launch a brand new model, LockBit 4.0, in 2025.
Evaluation of a LockBit Assault
 |
| LockBit ransomware launched within the protected surroundings of the ANY.RUN sandbox |
Try this sandbox session, exhibiting how briskly LockBit infects and encrypts information on a system.
 |
| ANY.RUN’s Interactive Sandbox helps you to see static evaluation of each modified file on the system |
By monitoring file system adjustments, we are able to see it modified 300 information in lower than a minute.
 |
| Ransom word tells victims to contact attackers |
The malware additionally drops a ransom word, detailing the directions for getting the information again.
Enhance Your Proactive Safety with ANY.RUN’s Interactive Sandbox
Analyzing cyber threats proactively as a substitute of reacting to them as soon as they turn into an issue on your group is the most effective plan of action any enterprise can take. Simplify it with ANY.RUN’s Interactive sandbox by inspecting all suspicious information and URLs inside a protected digital surroundings that helps you establish malicious content material with ease.
With the ANY.RUN sandbox, your organization can:
- Swiftly detect and ensure dangerous information and hyperlinks throughout scheduled checks.
- Examine how malware operates on a deeper stage to disclose its ways and techniques.
- Reply to safety incidents extra successfully by accumulating essential menace insights by way of sandbox evaluation.