CrAKeN Posted March 31, 2017 Share Posted March 31, 2017 Researchers noticed the Dimnie malware goes back to 2014 For more than three years one malware family managed to fly under the radar of researchers thanks to its stealthy command and control methods. According to researchers from the Palo Alto Networks, the malware family, dubbed Dimnie, was discovered in mid-January when it was in the middle of a campaign targeting open-source developers via phishing emails. It seems that emails contained a malicious .doc file that contained embedded macro code set to execute a PowerShell command to download and execute another file. Palo Alto Networks says it observed samples of this malware as far back as early 2014, with identical command and control mechanisms. "The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign," researchers explain in a post. Stealthy job By looking at the malware's communication with the C&C infrastructure, researchers determined that it uses HTTP Proxy requests to the Google PageRank service, which has been shut down last year. Because the absolute URI in the HTTP request is linking to a non-existent service, the server isn't acting as a proxy, and this is simply a way to camouflage itself. Researchers concluded that the malware's main functionality appears to be stealing information and reconnaissance. The modular framework, however, allows hackers to use a wider range of capabilities that have not been observed during analysis. “Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown,” Palo Alto researchers conclude. Source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.