[Research Summary]: Rugmi Loader

AUGUST 5, 2024

Introduction

This blog post comes from the Rugmi Loader Technical Analysis report. If you want to read more details, download it as a PDFclick here

Summary

This report aims to provide a comprehensive technical analysis of Rugmi Loader. Through this analysis, we aim to provide valuable insights into how it functions, ultimately contributing to the enhancement of cybersecurity measures against these sophisticated threats.

The latest DLL hijacking technique utilizes phishing to distribute an executable that appears legitimate, accompanied by a .png file containing configuration data and DLLs with various purposes. The decrypted configuration data, facilitated by the DLL, then triggers the loading of multiple DLLs onto the system. Additionally, as an evasion tactic, direct system calls are observed, along with the use of the Heaven’s Gate technique. The malicious DLL is injected into seemingly legitimate programs such as cmd.exe, paving the way for the final payload—stealer types—to manifest malicious activity within the system via explorer.exe.

Scope

FilenameBur_Oil_Company.zip
FiletypeZIP
Written Language
MD57981e2f467362b08d22fad773e24df3b
SHA13cd4952c6b2c192a41f7f625d9b94d27a869858e
SHA2563ccf4a79e6dc06def1c928e1378a9ea64274089d0d6c4da758d0c9acab20324e
First Seen / Detection Date2023-10-11
Initial Infection VectorPhishing Mail
Table 1: File Fingerprints
FilenameBur_Oil_Company.exe
FiletypeWin64 EXE
Written LanguageC/C++
MD564e3c6d6a396836e3c57b81e4c7c8f3b
SHA1f689e6995c85817193282163a18ec917c5f8d5c2
SHA256f2b4ca304f3d9d3305ae595e19906c545601f8c9e215a9b598036e89155daf85
First Seen / Detection Date2023-10-11
Initial Infection VectorPhishing Mail
Table 2: File Fingerprints
Filenamemozglue.dll
FiletypeWin32 DLL
Written LanguageC/C++
MD59f827d15fe257543fa8c8c42c33e389a
SHA176ab3458d75986bd1be148a5ca2d22318622b7c5
SHA2567f8f310241aa93dee7b4c0e97c1d30b8e50e96ffec619288de13f25d2ca555c7
First Seen / Detection Date2023-10-11
Initial Infection VectorPhishing Mail
Table 3: File Fingerprints

Infection Chain

infection - [Research Summary]: Rugmi Loader
Figure 1: Infection Chain

MITRE ATTA&CK Threat Matrix

  1. TA001 Initial Access
    1. T1566 Phishing
  2. TA002 Execution
    1. T1204 User Execution
      • T1204.002 Malicious File
    2. T1106 Native API
  3. TA005 Defense Evasion
    1. T1140 Deobfuscate/Decode Files or Information
    2. T1036 Masquerading
    3. T1055 Process Injection

Mitigation Strategies

  • Configure systems to use secure DLL search paths, reducing the risk of DLL search order hijacking. This can involve specifying the full path for loading DLLs.
  • Keep operating systems, applications, and security software up to date with the latest patches and updates.
  • Employ advanced email filtering solutions to identify and block phishing emails.
  • Participate in threat intelligence-sharing communities to stay informed about emerging phishing threats.

This blog post comes from the Rugmi Loader Technical Analysis report. If you want to read more details, download it as a PDFclick here

SHARE THIS

Get insight, Analysis &
News Straight to Your
Inbox

By submitting this form, you agree to our Privacy Policy

Latest News