A malware downloader has been spotted using novel "Port Monitor" methods that have not been detected before in active campaigns.
Dubbed DePriMon, the malicious downloader is used to deploy malware used by Lambert -- also known as the Longhorn advanced persistent threat (APT) group -- which specializes in attacks against European and Middle Eastern companies.
Kaspersky estimates that Lambert has been active since at least 2008, whereas Symantec rounds up the year as closer to 2011.
The threat actors use a variety of vulnerabilities, from zero-day bugs including the CVE-2014-4148 Windows exploit and backdoor malware to infiltrate government, financial, telecoms, energy, aviation, IT, and educational sectors, prompting the belief that Lambert may be state-sponsored.
In 2017, Symantec said that at least 40 targets in 16 countries have been compromised by the attackers.
The APT uses various malware, assigned different colors by cybersecurity researchers, to conduct reconnaissance, steal data, and maintain persistence.
These include Black Lampert, an active implant used to connect to a command-and-control (C2) server for instructions; White Lampert, a passive, network-based backdoor; Blue Lampert, a second-stage malware payload; Green Lampert, an older version of the aforementioned payload; and Pink Lambert, a toolkit including a USB-compromising module and an orchestrator.
The initial Lampert attack vector is unknown. However, the discovery of the malware in tandem with the new DePriMon download is of note.
ESET published the results of an investigation into the downloader in a blog post on Thursday. According to the cybersecurity researchers, the code uses "many non-traditional techniques" including the registration of a new local port monitor to achieve persistence.
The port monitor is named "Windows Default Print Monitor" -- leading to the downloader's name -- and has been detected at a private company in Europe, alongside "dozens of computers" in the Middle East that were also compromised by Lambert malware.
DePriMon is downloaded to memory and executed as a DLL using reflective DLL techniques. As the downloader is never stored on disk, this can reduce the risk of being detected.
The port monitor is registered with a key and value, which requires administrator rights. To achieve this, the DLL will be loaded by spoolsv.exe on system startup.
"We believe DePriMon is the first example of malware using this technique ever publicly described," ESET says.
A path is then forged for the download and execution of the main malware payloads. This path is encrypted using Microsoft's SSL/TLS and Secure Channel system, initialized with a Windows socket and subsequent SSPI sessions. DePriMon may also use Schannel, depending on the victim's system configuration.
DePriMon is then able to communicate with its C2 over TLS. Commands and configuration data is encrypted with AES-256.
"Thanks to its secure design, the configuration is not left in memory in unencrypted form," the researchers say. "Every time the downloader needs to use some element of the configuration file, it decrypts the configuration file, retrieves the member and encrypts the file again. This design protects the malware's primary function -- C2 communication -- against memory forensics."
"DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components," ESET added. "DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and to collect some basic information about the system and its user along the way."
Previous and related coverage
- When one isn't enough: This shady malware will infect your PC with dual Trojans
- Emotet resurgence packs in new binaries, Trickbot functions
- Cloud Atlas threat group updates weaponry with polymorphic malware
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0