A new downloader, uses the original "Port Monitor" method to contaminates One computer. The malware, called DePriMon, is used by the Lambert team, also known as the Longhorn advanced persistent threat (APT), which as it was discovered by security companies, mainly targets companies in the Europe and in the Middle East.
Malicious agents exploit a number of vulnerabilities, including CVE-2014-4148 Windows exploit to infiltrate government, telecommunications, finance, aviation, energy, IT and education organizations, giving the impression that the team is supported by government.
According to Symantec at least 40 targets in 16 countries have been attacked by the team within 2017.
APT uses various malware, including Black Lampert, an active "implant" associated with the command and control server, White Lampert, a network-based backdoor, Blue Lampert, a malicious second-phase payload, Green Lampert, an older version of the aforementioned payload, and Pink Lambert, a toolkit that includes an infection module USB and an orchestrator.
Η ESET published the results of a malicious downloader survey. According to researchers, the program uses "many non-traditional techniques", including registering a new local Port Monitor system to achieve robustness.
The technique is called "Windows Default Print Monitor" and was discovered at a company in Europe and on computers in the Middle East, which have also been infected by malicious Lambert software.
DePriMon is downloaded to memory and executed as a DLL using DLL techniques. As the downloader is never stored on disk, its chances of detection are reduced.
The DLL file will be loaded by spoolsv.exe at system startup to gain administrator privileges.
Then a path is created for downloading and executing the main malware. This path is encrypted with Microsoft's SSL / TLS Secure Channel system. DePriMon can also use Schannel, depending on the configuration of the victim's system.
DePriMon is then able to communicate with its C2 via TLS. The commands and configuration data are encrypted with AES-256.
ESET states that “DePriMon is an unusually advanced downloader whose developers have made extra efforts to create the architecture and build its critical components. It's a powerful, versatile and persistent tool designed to download a payload and execute it and collect some basic information about the system and its user. "
How useful was this post?
Average rating / 5. Vote count:
No votes so far! Be the first to rate this post.