ESET researchers have discovered a new downloader with a novel, not previously seen in the wild installation technique
DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name, that’s why we have named it DePriMon. Due to its complexity and modular architecture, we consider it to be a framework.
According to our telemetry, DePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.
Some of the domain names used as C&C servers contain Arabic words, which gives an indication of a region-specific campaign. However, DePriMon deserves attention beyond its targets’ geographical distribution: it is carefully written malware, with lots of encryption that is used properly.
To help defenders stay safe from this threat, we’ve thoroughly analyzed this newly discovered malware, focusing on the downloader itself. Because we’re missing initial stage(s), which we will refer to here as “the first stage”, we don’t know the initial distribution and compromise vector. What kind of final payload is used in the attacks is another question that remains to be answered.
However, it should be noted that, in a few cases, DePriMon was detected with ColoredLambert malware on the same computers within a short time frame. ColoredLambert is used by the Lamberts (aka Longhorn) cyberespionage group and linked to the Vault 7 leak of CIA capabilities. Our colleagues from Symantec and Kaspersky published their analyses in April 2017.
Both DePriMon’s second and third stages are delivered to the victim’s disk in the first stage. The second stage installs itself and loads the third stage using an encrypted, hardcoded path. One of the possible explanations is that it was configured after the first stage of the attack occurred.
The described installation technique is unique. In principle, it is described in the MITRE ATT&CK taxonomy as “Port Monitors”, under both Persistence and Privilege Escalation tactics. We believe DePriMon is the first example of malware using this technique ever publicly described.
The second stage registers the third-stage DLL as a port monitor by creating the following registry key and value:
HKLMSYSTEMCurrentControlSetControlPrintMonitorsWindows Default Print Monitor
Driver = %PathToThirdStageDLL%
Administrator rights are required for creating this registry key.
At system startup, the registered DLL will be loaded by spoolsv.exe with SYSTEM privileges, which, combined with the uniqueness of this method, makes this technique very effective for attackers.
The second stage checks regularly whether there is a file in the %system32% folder with the same name as the third stage DLL file but without the “.dll” extension. This file serves as an uninstallation trigger – should DePriMon find it, it removes both this file and its own components in a secure way by overwriting the binaries and then deleting them.
The third stage, responsible for downloading the main payload(s) from DePriMon’s operators, also implements some interesting techniques.
For C&C communication, it uses the Microsoft implementation of SSL/TLS, Secure Channel, instead of common APIs like WinHTTP or WinInet. Its configuration is very complex, as is the way the malware handles it. Finally, the authors have put significant effort into encryption, making the DePriMon malware more difficult to analyze.
DePriMon communicates securely over TLS, however, not on a high level as is a typical scenario in malware. The connection is initialized with a Windows socket and can continue with initialization of an authenticated Security Support Provider Interface (SSPI) session with the Negotiate / NTLM SSP. After that, DePriMon uses Schannel.
SSPI is used/not used according to a particular flag in the configuration file and can utilize the local proxy settings of the machine. The implementation is similar to this example provided by Microsoft.
The malware’s implementation of TLS via Schannel is similar to this example by Coast Research & Development. It includes creating credentials, performing the client handshake and verifying the server certificate.
After the communication is established, the third stage encrypts and decrypts messages manually each time.
The configuration data for DePriMon’s third stage has 27 members, which is an unusually large number for a downloader. It is encrypted with AES-256 and embedded in the binary.
During the first run, DePriMon’s third stage (the downloader itself) decrypts the configuration data with Key 2 (see the IoCs section), encrypts it with Key 3 and stores the encrypted configuration file in a temporary folder. The filename for the configuration file is created via the following process: Starting with the second byte, the value of Key 2 is transformed into a number in base 36 but encoded using custom alphabet “abc…xyz012…789”. The extension of the configuration file is “.tmp”.
An example of a configuration file path: %temp%rb1us0wm99sslpa1vx.tmp.
During the second run, the downloader reads the configuration data from the file, not from itself – this way, the attacker can easily update the configuration.
Thanks to its secure design, the configuration is not left in memory in unencrypted form. Every time the downloader needs to use some element of the configuration file, it decrypts the configuration file, retrieves the member and encrypts the file again.
This design protects the malware’s primary function – C&C communication – against memory forensics.
Of interest in the configuration file are:
- Two entries for usernames and two members for passwords – for the proxy server if it is set on the machine. It means attackers are preparing to further their attack via a proxy with credentials. However, we haven’t seen functionality for stealing these details, so it appears that it is done in another phase of the attack.
- Three entries for three C&C servers – each of them used on a different occasion.
- Three entries for three ports – each of them used on a different occasion.
- Flags indicating whether the downloader initializes a connection through Security Support Provider Interface (SSPI) with a possible proxy or only with a socket (described later).
It should be noted that besides C&C servers extracted from malware samples, we identified additional domains and servers likely related to this malware.
The malware uses the AES encryption algorithm with three different 256-bit keys for different purposes (these keys are listed in the IoCs section).
- Key 1: For decryption of various sensitive strings in the malware.
- Key 2: For encryption and decryption of the configuration data in memory (as described earlier). This key is also used to generate the third key.
- Key 3: For encryption and decryption of the configuration file on disk.
This key is not hardcoded but derived using a 32-byte array which is then encrypted. The array is generated as follows: the first 4 bytes are the volume serial number of the system drive, and the remaining 28 bytes contain the values 5 – 32. This array is encrypted with Key 2, resulting in Key 3.
DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.
DePriMon is downloaded to memory and executed directly from there as a DLL using the reflective DLL loading technique. It is never stored on disk. It has a surprisingly extensive configuration file with several interesting elements, its encryption is properly implemented and protects the C&C communication effectively.
As a result, DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and to collect some basic information about the system and its user along the way.
Indicators of Compromise (IoCs)
ESET detection names
Keys – example
Key 1: C097CF17DC3303BC8155534350464E50176ACA63842B0973831D8C6C8F136817
Key 2: 8D35913F80A23E820C23B3125ABF57901BC9A7B83283FB2B240193ABDEDE52B9
Key 3: Derived as described earlier.
MITRE ATT&CK techniques
|Persistence||T1013||Port Monitors||DePriMon installs one of its components as a port monitor for achieving persistence.|
|Defense Evasion||T1036||Masquerading||DePriMon places its components into the System32 folder with names mimicking common system DLLs.|
|T1107||File Deletion||DePriMon can delete itself securely by overwriting its files with random data and then deleting them.|
|T1112||Modify Registry||DePriMon adds registry entry in HKLMSYSTEMCurrentControlSetControlPrintMonitors to achieve persistence.|
|T1134||Access Token Manipulation||DePriMon obtains a user token for obtaining information about the proxy settings on the machine.|
|T1140||Deobfuscate/Decode Files or Information||DePriMon encrypts some of its strings and its configuration file using AES-256.|
|Discovery||T1007||System Service Discovery||DePriMon can list registered services on the system.|
|T1057||Process Discovery||DePriMon can list running processes on the system.|
|T1082||System Information Discovery||DePriMon collects various information about the system.|
|T1124||System Time Discovery||DePriMon regularly checks system time and performs various actions based on it, such as uninstallation.|
|Command And Control||T1043||Commonly Used Port||DePriMon uses ports 443 and 8080 for C&C communication.|
|T1071||Standard Application Layer Protocol||DePriMon uses HTTP for C&C communication.|
|T1090||Connection Proxy||DePriMon uses local proxy settings to make its communication less suspicious.|