Although Legion Loader includes code that attempts to detect and evade behavior-based analysis in “sandbox” automated testing environments, it does not obfuscate strings embedded in the malware executable file, which means that pattern matching using yara rules is an effective detection strategy. The malware contains the following strings: “ollydbg.exe”, “ProcessHacker.exe”, “ImmunityDebugger.exe”, and “Wireshark.exe.” Network-based detection is also possible by searching for the unique User-Agent strings in the malware’s HTTP requests: “User-Agent: autizm”, “User-Agent: satan”, “User-Agent: suspiria” and “User-Agent: lilith.” Another stage of the malware deployment uses PowerShell scripts to send data via HTTP POST to the domain legion1488.info. This campaign isn’t the most sophisticated but considering all the types of data that could be compromised by attackers, an attack like this can be a nightmare for security teams. Nevertheless, organizations can employ simple security measures to protect themselves. Organizations should download and apply security patches as they become available. Security personnel should firewall any open ports so that these malicious programs cannot access them. Remote desktop access should be run behind a VPN that uses 2-factor authentication to prevent attackers from finding the RDP login page through scans of the internet and using compromised or guessed passwords to log in. Organizations can also benefit from employing a 24-hour monitoring service, such as the Binary Defense Security Operations Center, that can identify and defend from these attacks. For more information, please see: https://cyware.com/news/hornets-nest-a-six-in-one-malware-92579462