DePriMon downloader uses a never seen installation technique

ESET researchers discovered a new downloader, dubbed DePriMon, that used new “Port Monitor” methods in attacks in the wild.

The new DePriMon downloader was used by the Lambert APT group, aka Longhorn, to deploy malware.

According to a report published by Symantec in 2017, Longhorn is a North American hacking group that has been active since at least 2011. The group is very sophisticated and used zero-day exploits and complex malware to conduct targeted attacks against governments and organizations in almost every industry, including financial, energy, telecommunications, and education, aerospace.

The targets were all located in the Middle East, Europe, Asia, and Africa.

In 2017, Symantec speculated that at least 40 targets in 16 countries have been compromised by the threat actors.

One of the malware in the arsenal of the group is the Black Lampert, it is an active implant used to control the infected system. Other malware in the arsenal are the passive network-based backdoor White Lampert, the Blue Lampert second-stage payload, the Green Lampert payload, and the Pink Lambert tool.

The DePriMon downloader achieves persistence by registering a new local port monitor, an evasion trick that falls under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase.

According to ESET, the DePriMon has been active since at least March 2017, it was found on computers in a private company in Central Europe, and at dozens of computers in the Middle East.

The domain names used as C&C servers contain Arabic words, suggesting that the attackers’ campaign aimed at targets in the Middle East.

The DePriMon is downloaded to memory and executed as a DLL using reflective DLL techniques, it is registered with a key and value, which requires administrator rights.

The registered DLL will be loaded at system startup by the spoolsv.exe with SYSTEM privileges.

“Both DePriMon’s second and third stages are delivered to the victim’s disk in the first stage. The second stage installs itself and loads the third stage using an encrypted, hardcoded path. One of the possible explanations is that it was configured after the first stage of the attack occurred.” reads the analysis.

“The described installation technique is unique. In principle, it is described in the MITRE ATT&CK taxonomy as “Port Monitors”, under both Persistence and Privilege Escalation tactics. We believe DePriMon is the first example of malware using this technique ever publicly described.”

The malware leverages the Microsoft implementation of SSL/TLS, Secure Channel, for C2 communication. ESET researchers pointed out that the authors have put significant effort into encryption in order to prevent the analysis of the DePriMon malware.

DePriMon communicates securely over TLS, the connection is initialized with a Windows socket and can continue with initialization of an authenticated Security Support Provider Interface (SSPI) session with the Negotiate / NTLM SSP. Then the DePriMon malware uses Schannel for the communication.

“DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components,” ESET concludes. “DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and to collect some basic information about the system and its user along the way.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DePriMon, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]