This ‘grab-bag’ hacking attack drops six different types of malware in one go

'Hornet's Nest' campaign delivers a variety of malware that could create a nightmare for organisations that fall victim to attacks, warn researchers.
Written by Danny Palmer, Senior Writer

A high-volume hacking campaign is targeting organisations around the world with attacks that deliver a 'grab-bag' of malware that includes information-stealing trojans, a remote backdoor, a cryptojacker and a cryptocurrency stealer.

Uncovered by researchers at Deep Instinct, the combination of the volume of attacks with the number of different malware families has led to the campaign being named 'Hornet's Nest'.

The attacks are suspected to be offered as part of a cybercrime-as-a-service operation with those behind the initial dropper, which researchers have dubbed Legion Loader, leasing out their services to other criminals.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Clues in the code point to the Legion Loader being written by a Russian-speaker – and researchers note that the malware is still being worked on and updated. Attacks using the loader appear to be focused on targets in the United States and Europe.

It's still unclear how the attack is initially delivered, but once up-and-running on the machine, Legion Loader will execute PowerShell commands that enable it to begin retrieving its malicious payloads. The loader will then deliver three different forms of trojan malware, all of which are available on underground forums.

One is Vidar, a trojan that targets all sorts of personal information – including screenshots and data – stored in two-factor authentication software. A second trojan delivered is Predator the Thief, a form of malware that steals data and has the ability to capture images using the victim's webcam.

The third is Racoon Stealer, a relatively new information-stealer that is powerful, but easy to customise and use.

Alongside these three types of malware, Legion Loader also contains an RDP-based backdoor providing the attacker with entry into the compromised machine. This could allow those using Legion Loader to deploy additional attacks in future.

Legion Loader allows attackers to steal vast swathes of personal data, all of which they could illicitly monetise either by committing fraud themselves, or by selling the information on to others on the dark web.

However, the Hornet's Nest campaign also provides a more immediate way for the attacker to make money: the Legion Loader payload includes a PowerShell-based cryptocurrency stealer that allows the attacker to raid the victim's bitcoin wallet for the contents stored within.

SEE: 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

In addition to this, the malicious payload also comes with a cryptocurrency miner that exploits the processing power of the victim's computer to help generate cryptocurrency over a longer period of time.

The campaign isn't exactly highly sophisticated, but researchers note that a multi-pronged attack of this kind can cause a "security nightmare" for an organisation, considering all the kinds of of data that could be compromised by hackers.

However, if organisations are employing basic security measures, like applying patches and securing internet facing ports, they should go a long way to help the business avoid falling victim to the malware delivered by Legion Loader.


Editorial standards