Researchers at Deep Instinct have discovered a six-in-one malware that appears to be designed for enterprise-level victims. The malware uses a payload dropper called “Legion Loader,” which is suspected to have been developed by a Russian speaker as the code shows a few traces of comments and UI written in Russian. The six elements used are:
• Vidar – Targets personal information and data stored in two-factor authentication (2FA) software.
• Predator the Thief – A data stealer that can capture webcam images.
• Racoon Stealer – Bypasses Microsoft and Symantec anti-spam messaging gateways.
• Crypto Stealer – A cryptocurrency stealer.
• Crypto Miner – Uses the victim’s processing power to mine for cryptocurrency.
• RDP Backdoor – Provides access to the victim’s machine which would allow an attacker to execute commands in the future.
The reasons why the researchers state that this dropper-for-hire campaign is likely designed for enterprises are the destructive capabilities and the fact that it attempts to evade anti-spam messaging gateways typically found in enterprise IT environments.
Analyst Notes
Although Legion Loader includes code that attempts to detect and evade behavior-based analysis in “sandbox” automated testing environments, it does not obfuscate strings embedded in the malware executable file, which means that pattern matching using yara rules is an effective detection strategy. The malware contains the following strings: “ollydbg.exe”, “ProcessHacker.exe”, “ImmunityDebugger.exe”, and “Wireshark.exe.” Network-based detection is also possible by searching for the unique User-Agent strings in the malware’s HTTP requests: “User-Agent: autizm”, “User-Agent: satan”, “User-Agent: suspiria” and “User-Agent: lilith.” Another stage of the malware deployment uses PowerShell scripts to send data via HTTP POST to the domain legion1488.info. This campaign isn’t the most sophisticated but considering all the types of data that could be compromised by attackers, an attack like this can be a nightmare for security teams. Nevertheless, organizations can employ simple security measures to protect themselves. Organizations should download and apply security patches as they become available. Security personnel should firewall any open ports so that these malicious programs cannot access them. Remote desktop access should be run behind a VPN that uses 2-factor authentication to prevent attackers from finding the RDP login page through scans of the internet and using compromised or guessed passwords to log in. Organizations can also benefit from employing a 24-hour monitoring service, such as the Binary Defense Security Operations Center, that can identify and defend from these attacks.
For more information, please see: https://cyware.com/news/hornets-nest-a-six-in-one-malware-92579462
