It is assumed that the downloader uses methods not seen in the wild before.
A malware downloader was found using new “Port Monitor” methods not detected in active campaigns before.
The malicious downloader Dubbed DePriMon is used for the delivery of Lambert malware-the community APT, which is specialized in attacks against European and Middle East firms.
Kaspersky reports that Lambert has been involved at least since 2008, while Symantec is closer to 2011.
Three-day bugs such as CVE-2014-4148 Windows and backdoor malware can penetrate government, economic, telecommunications, power, aviation, IT and educational sector and are a source of confidence that Lambert can be sponsored by the state. The risk actors use several vulnerabilities.
In 2017, Symantec said that the attackers had compromised at least 40 targets in 16 countries.
APT uses various malware, which cyber security researchers give different colours, to carry out identification, steal and preserve information.
This includes Black Lampert, a second-stage malware payload implant used to connect to a commande-and-control (C2) server for instructions, White Lampert, a network-based backdoor, Blue Lampert, a previous version for the payload, Green Lampert, and Pink Lambert, a toolkit that includes a USB compromise module and an orchestrator.
The initial attack vector of Lampert is unknown. However, the malware discovery in conjunction with the new DePriMon download is noteworthy.
ESET published the results of a blog post on Thursday about the downloader. The code uses “many untraditional technologies,” including registration of a new local port monitor, to achieve persistence, according to cybersecurity researchers.
The port monitor is called “Windows Default Print Monitor,” which is called “dozens of computers” in the Middle East and which have also been impacted by Lambert malware, and has been detected on a European private company.
DePriMon is downloaded to the memory and implemented with reflective DLL techniques as a DLL. Since the downloader is never saved on disk, the chance of being detected can be reduced.
The port monitor is registered with an administrator privileges key and price. To do this, spoolsv.exe must load the DLL on device initialization.
“We assume DePriMon is the first malware instance ever publicly identified with this technique,” says ESET.
A path to access and execute the key malware payloads is then forged. Initialized using a Windows socket and following SSPI sessions, this path is encrypted with the SSL / TLS and the Secure Channel system of Microsoft. DePriMon may also use Schannel depending on the configuration of the victim’s system.
DePriMon can then communicate via TLS with its C2. AES-256 encrypts commands and configuration data.
TechRepublic: 82 percent of SMB execs expect workers to risk putting their company devices at risk by shopping on vacation.
“The software is not unencrypted because of its safe nature,” the researchers say. “It decrypts the configuration file every time the downloader needs some element of the configuration file, recovers its members and encrypts the file again. It protects the malware from memory forensics by its primary function— communicating with C2.” “DePriMon is a unusually advanced downloader, the developer of which has made an extra effort to create an architecture and crafting “DePriMon is a powerful, flexible and persistent tool designed for downloading and running a payload and collecting some basic system and user information along the way.”