The Advanced Persistent Threat (APT) group known as Lampert or Longhorn has been seen using a newly-discovered downloader called DePriMon to deliver various malware strains. The downloader employs a novel method for persistence (restarting whenever the infected computer restarts), using Windows port monitors. The malware is named DePriMon because it uses the name “Windows Default Print Monitor” to attempt to make its port monitor entry in the registry blend in and not raise the suspicions of IT security staff. The malware strains used by Lampert have been assigned color-based names by researchers, including:
- Black Lampert- Active Implant used to connect to C2 server and wait for instructions
- White Lampert- Passive network-based backdoor
- Blue Lampert- Second stage malware payload
- Green Lampert- An older version of Blue Lampert
- Pink Lampert- USB-compromising module and orchestrator
While the initial intrusion vector is unknown, the combination of the Lampert malware and the DePriMon downloader is quite new. Symantec states that the group compromised 40 targets in 16 different countries in 2017 alone. ESET stated in their blog post, “”DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components,” ESET added. “DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and to collect some basic information about the system and its user along the way.”
Sources: https://www.zdnet.com/article/deprimon-downloader-uses-novel-ways-to-infect-your-pc-with-coloredlambert-malware/
https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/
