InfoSec News & Investigations

Multiple-malware dropper ‘Legion Loader’ dissected

The insidious nature of difficult-to-detect,
multiple strains of malware working in tandem to unleash complete obliteration is
on full display with the dropper Legion Loader.

The quantity and variety of malware earned its reference as a “Hornet’s Nest,” explained report author Shaul Vilkomir-Preisman, an Israel-based malware & cyber intelligence expert at Deep Instinct, which said it recently prevented a malicious dropper from infecting the customer’s environment.

The campaign, which focused simultaneously
on both U.S. and European targets, is “a grab-bag of multiple types of
info-stealers, backdoors, a file-less crypto-currency stealer built into the
dropper, and occasionally a crypto-miner,” wrote Vilkomir-Preisman.

After previously discovering
similar characteristics in several other network intrusions and
emerging-threats rule-sets, Deep Instinct dubbed the dropper “Legion Loader,” which
it believes is even more valid with this latest attack, which smacks of “a
dropper-for-hire campaign” for its volume and variety, uncommon in the general
hacking landscape.

The dropper serves as “a
classic case-in-point of how even a relatively low-sophistication malware can
become a security nightmare for an organization,” Preisman said, adding that Legion
Loader employs more advanced file-less techniques and delivering a myriad of
follow-up malware ranging for info-stealers and credential harvesters to
crypto-miners and backdoors.

Written in MS Visual C++ 8, Legion
Loader appears to be under active development. The dropper’s specific modules
include several VM/Sandbox (VMware, VBOX, etc.) and research-tool evasions
(Common debuggers, SysInternals utilities, etc.). 

The attackers’ modus operandi
becomes evident because when combined there’s no evidence of string obfuscation,
removing the ability for straight-forward analysis.

Despite the evading typical
antivirus detection, Deep Instinct tracked a capability for the delivery of two
to three additional malware executables, including a built-in file-less
crypto-currency stealer and browser-credential harvester.

When operating properly, the Legion
Loader takes control of the subsequent command-and-control (C&C) server,
which looks for an expected response. If it does not get the code, then the
scheme terminates to further avoid detection.

Deep Instinct notes that its
interest was piqued by the sheer volume and variety of malware unleashed by
this tactic. The majority of this information-stealing malware – Vidar,
Predator the thief, and Racoon – is readily available for purchase from
dark-net marketplaces.

Legion Loader also features a built-in
crypto-currency stealer, including wallets and harvested credentials and a remote desktop protocol (RDP)
backdoor that shows up as a Nullsoft Scriptable Install System (NSIS) installer.
Other executables found with the dropper disguise themselves as .xml but is
really .DLL files.

The post Multiple-malware dropper ‘Legion Loader’ dissected appeared first on SC Media.

Original Source