Threat Research

Kaspersky crimeware report: GoPIX, Lumar, and Rhysida.

SecureList

Kaspersky excerpts describe three recently observed crimeware families: GoPIX (a PIX-targeting clipboard stealer distributed via malvertising), Lumar (a compact C-written stealer sold as MaaS with a web C2 panel), and Rhysida (a new RaaS ransomware with TOR-based C2 and unusual legacy Windows support). The reports detail infection chains, persistence/evade techniques, C2/exfiltration behavior, and provided MD5 IOCs. #GoPIX #Rhysida

Keypoints

  • GoPIX uses malvertising and search-result redirection to deliver a staged downloader that adapts based on the presence of Avast safe-banking software (port 27275).
  • Delivery alternates between a ZIP with an LNK that runs an obfuscated PowerShell script and an NSIS installer that fetches additional PowerShell scripts and the payload.
  • GoPIX loads via reflective DLL injection (sRDI), injects into a suspended svchost process, and operates as a clipboard stealer replacing PIX payment identifiers with attacker-controlled values from C2.
  • Lumar is a ~50KB C-written stealer that resolves APIs by CRC32, checks OS UI language to avoid CIS victims, collects system/browser/crypto wallet data in parallel threads, zips results and uploads them to an author-hosted C2 panel (MaaS).
  • Rhysida is an emerging RaaS that uses a TOR hidden service for communications, uses LibTomCrypt, self-deletes via PowerShell, supports pre-Windows-10 systems by excluding Documents and Settings, and was compiled with MinGW requiring shared libraries.
  • C2 capabilities include web-based panels offering victim stats, log downloads (ZIP), and distribution of updated builder/binaries; operators notify buyers via Telegram for new data.
  • Kaspersky published MD5s for GoPIX, Lumar and Rhysida samples and observed most GoPIX infections in Brazil.

MITRE Techniques

  • [T1189] Drive-by Compromise – used via malvertising and search-result redirection: (‘If they click such a link, a redirection follows, with the user ending up on the malware landing page.’)
  • [T1204.002] User Execution: Malicious File – delivery via ZIP containing an LNK that runs an obfuscated PowerShell downloader: (‘a ZIP file is downloaded that contains an LNK file embedding an obfuscated PowerShell script that downloads the next stage.’)
  • [T1086] PowerShell – multiple stages and self-deletion use PowerShell scripts/commands: (‘an obfuscated PowerShell script that downloads the next stage’ and ‘self-deletion is achieved by executing a PowerShell command on the system.’)
  • [T1055] Process Injection – dropper starts svchost suspended and injects GoPIX into it: (‘the malware dropper then starts the “svchost” process in a suspended state and injects GoPIX into it.’)
  • [T1056.003] Input Capture: Clipboard Data – GoPIX steals and replaces clipboard PIX transactions retrieved from C2: (‘GoPIX is a typical clipboard stealer malware that steals PIX “transactions” … and replaces them with a malicious (attacker controlled) one which is retrieved from the C2.’)
  • [T1027] Obfuscated Files or Information – authors use obfuscation and CRC32-based API resolution: (‘When executed, the malware resolves functions using CRC32.’ and ‘obfuscated PowerShell script’)
  • [T1041] Exfiltration Over C2 Channel – stolen data is zipped and sent to a C2 server: (‘The data is then gathered, zipped and sent to the C2.’)
  • [T1102] Web Service – Lumar’s author-hosted C2 panel (web login, stats, log downloads) provides command-and-control and data access: (‘The C2 is hosted by the malware author … Once logged in, there are three tabs: Home; Stats (victim statistics); Logs (exfiltrated information, which can be downloaded as a ZIP file).’)
  • [T1497] Virtualization/Sandbox Evasion (environment checks) – Lumar checks OS UI language and exits for CIS languages to avoid analysis/targeting: (‘It then checks the OS UI language and terminates if it is set to a language used in a CIS country.’)
  • [T1090] Proxy (TOR usage) – Rhysida uses a hidden TOR service for communications/C2: (‘runs a hidden TOR service’)

Indicators of Compromise

  • [File hashes] malware samples – GoPIX examples: EB0B4E35A2BA442821E28D617DD2DAA2, 6BA5539762A71E542ECAC7CF59BDDF79, and 6 more hashes
  • [File hashes] Lumar & Rhysida examples – Lumar: 5fc82bd3590eae30c26f1a42f4e711f4; Rhysida: 0c8e88877383ccd23a755f429006b437 (additional hashes listed in the report)
  • [Domains / services] infrastructure and services – ipqualityscore.com (fraud-prevention service used in redirection checks), opentip.kaspersky.com (hash lookup links), securelist.com (original report source)
  • [File artifacts] delivery/installers – LNK file embedding obfuscated PowerShell; NSIS installer package containing PowerShell scripts and payloads
  • [Network indicators] local port used in decision logic – port 27275 (used by Avast safe banking) influences which installer URL is served
  • [TOR/Onion] C2 hosting – Rhysida uses a hidden TOR service / onion site (onion URL not publicly listed in article)

GoPIX infection flow: attackers place malvertising search links that redirect victims to a fake WhatsApp download page, then use an IP Quality Score check to filter bots; delivery varies by whether port 27275 is open (indicating Avast safe-banking)—if open, a ZIP with an LNK running an obfuscated PowerShell downloader is used; if closed, an NSIS installer is fetched. The NSIS package contains and downloads additional PowerShell scripts and encrypted payloads; after decryption and shellcode execution the dropper uses sRDI (reflective DLL injection) to load the malware, spawns svchost in a suspended state and injects GoPIX, which performs clipboard theft and replaces PIX payment identifiers with attacker-supplied values fetched from C2.

Lumar is a compact (~50KB) C-based stealer that resolves API functions by CRC32 and performs an environment check (terminates if the UI language matches CIS languages). It collects system telemetry, then runs three concurrent threads to harvest (1) user files (.txt/.doc/.jpg/.rdp/.xls etc.), (2) browser cookies and cached passwords, and (3) cryptocurrency wallet files; the bundle is compressed and uploaded to an author-hosted web C2 panel sold as MaaS, where buyers authenticate, review stats/logs and download exfiltrated ZIPs or updated binaries; the panel also supports Telegram notifications for new data.

Rhysida is an emerging RaaS observed with a TOR-hidden C2, LibTomCrypt usage, MinGW-compiled C++ binaries requiring shared libraries, and a PowerShell-based self-deletion mechanism. It retains compatibility with older Windows by excluding Documents and Settings from encryption; initial onion server misconfigurations exposed sensitive data but were quickly remediated by the operators.

Read more: https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint