Rugmi Loader Technical Analysis

This blog post comes from the Rugmi Loader Technical Analysis report. If you want to read more details, download it as a PDFclick here

Summary

This report aims to provide a comprehensive technical analysis of Rugmi Loader. Through this analysis, we aim to provide valuable insights into how it functions, ultimately contributing to the enhancement of cybersecurity measures against these sophisticated threats.

The latest DLL hijacking technique utilizes phishing to distribute an executable that appears legitimate, accompanied by a .png file containing configuration data and DLLs with various purposes. The decrypted configuration data, facilitated by the DLL, then triggers the loading of multiple DLLs onto the system. Additionally, as an evasion tactic, direct system calls are observed, along with the use of the Heaven’s Gate technique. The malicious DLL is injected into seemingly legitimate programs such as cmd.exe, paving the way for the final payload—stealer types—to manifest malicious activity within the system via explorer.exe.

Scope

Filename	Bur_Oil_Company.zip
Filetype	ZIP
Written Language	–
MD5	7981e2f467362b08d22fad773e24df3b
SHA1	3cd4952c6b2c192a41f7f625d9b94d27a869858e
SHA256	3ccf4a79e6dc06def1c928e1378a9ea64274089d0d6c4da758d0c9acab20324e
First Seen / Detection Date	2023-10-11
Initial Infection Vector	Phishing Mail

Filename	Bur_Oil_Company.exe
Filetype	Win64 EXE
Written Language	C/C++
MD5	64e3c6d6a396836e3c57b81e4c7c8f3b
SHA1	f689e6995c85817193282163a18ec917c5f8d5c2
SHA256	f2b4ca304f3d9d3305ae595e19906c545601f8c9e215a9b598036e89155daf85
First Seen / Detection Date	2023-10-11
Initial Infection Vector	Phishing Mail

Filename	mozglue.dll
Filetype	Win32 DLL
Written Language	C/C++
MD5	9f827d15fe257543fa8c8c42c33e389a
SHA1	76ab3458d75986bd1be148a5ca2d22318622b7c5
SHA256	7f8f310241aa93dee7b4c0e97c1d30b8e50e96ffec619288de13f25d2ca555c7
First Seen / Detection Date	2023-10-11
Initial Infection Vector	Phishing Mail

T

Infection Chain

MITRE ATTA&CK Threat Matrix

1. TA001 Initial Access
   1. T1566 Phishing
2. TA002 Execution
   1. T1204 User Execution
      • T1204.002 Malicious File
   2. T1106 Native API
3. TA005 Defense Evasion
   1. T1140 Deobfuscate/Decode Files or Information
   2. T1036 Masquerading
   3. T1055 Process Injection

Mitigation Strategies

• Configure systems to use secure DLL search paths, reducing the risk of DLL search order hijacking. This can involve specifying the full path for loading DLLs.
• Keep operating systems, applications, and security software up to date with the latest patches and updates.
• Employ advanced email filtering solutions to identify and block phishing emails.
• Participate in threat intelligence-sharing communities to stay informed about emerging phishing threats.

This blog post comes from the Rugmi Loader Technical Analysis report. If you want to read more details, download it as a PDFclick here