Lays Not One but Six Malware Variants

A new malware campaign is targeting organizations in the U.S. and Europe with an attack that delivers a six-in-one malware. It includes info-stealing trojans, a remote backdoor, crypto-stealer and a crypto-miner. Since there are multiple types of malware infested in a single go, its quantity and variety has earned it a name, “Hornet Nest”.

Researchers at Deep Instinct, a cybersecurity firm said, “Such volume and variety are uncommon in the general landscape and are highly suggestive of a dropper-for-hire campaign.” The Legion Loader (i.e. the Hornet Nest), is the primary payload dropper and is written in MS Visual C++ 8. As per observation, the Loader shows signs of active modifications and is most likely to be developed by a Russian speaker as the code shows a few traces of comments and UI written in Russian.

The mode of distribution is currently unknown but once the Legion Loader is installed, a few PowerShell commands are run which in turn download the remaining payloads. This consists of three variations of trojan malware—two crypto stealers; and one backdoor entry providing payload:

1. Vidar – Targets all sorts of personal information, including data stored in Two-Factor Authentication (2FA) software.
2. Predator the Thief – Steals data and can capture images using the victim’s webcam.
3. Racoon Stealer – Bypass Microsoft and Symantec anti-spam messaging gateways.
4. Crypto Stealer – A PowerShell-based cryptocurrency stealer which allows the attacker to steal from a victim’s bitcoin wallet.
5. Crypto Miner –Exploits the victim’s computer and its processing power to help mine cryptocurrency over a longer period.
6. RDP Backdoor – Provides the attacker entry into the victim’s compromised machine. This allows the attacker to execute additional attacks in the future.

Researchers said that, “Hornet Nest” is a classic example of how a less sophisticated malware can be a nightmare for any organization as it employs more advanced file-less techniques and delivers a bundle of follow-up malwares ranging from info-stealers and credential harvesters to crypto-miners and backdoors.

In a similar multiple trojan infection attack, researchers from Fortinet found a sample file of a dropper that was flagged suspicious. Upon research, it was found that the new malware had the capability to drop both RevengeRAT and WSHRAT on systems running Windows OS.

Comments are closed.