A new malware campaign is targeting organizations in the U.S. and Europe with an attack that delivers a six-in-one malware. It includes info-stealing trojans, a remote backdoor, crypto-stealer and a crypto-miner. Since there are multiple types of malware infested in a single go, its quantity and variety has earned it a name, “Hornet Nest”.
Researchers at Deep Instinct, a cybersecurity firm said, “Such volume and variety are uncommon in the general landscape and are highly suggestive of a dropper-for-hire campaign.” The Legion Loader (i.e. the Hornet Nest), is the primary payload dropper and is written in MS Visual C++ 8. As per observation, the Loader shows signs of active modifications and is most likely to be developed by a Russian speaker as the code shows a few traces of comments and UI written in Russian.
The mode of distribution is currently unknown but once the Legion Loader is installed, a few PowerShell commands are run which in turn download the remaining payloads. This consists of three variations of trojan malware—two crypto stealers; and one backdoor entry providing payload:
- Vidar – Targets all sorts of personal information, including data stored in Two-Factor Authentication (2FA) software.
- Predator the Thief – Steals data and can capture images using the victim’s webcam.
- Racoon Stealer – Bypass Microsoft and Symantec anti-spam messaging gateways.
- Crypto Stealer – A PowerShell-based cryptocurrency stealer which allows the attacker to steal from a victim’s bitcoin wallet.
- Crypto Miner –Exploits the victim’s computer and its processing power to help mine cryptocurrency over a longer period.
- RDP Backdoor – Provides the attacker entry into the victim’s compromised machine. This allows the attacker to execute additional attacks in the future.
Researchers said that, “Hornet Nest” is a classic example of how a less sophisticated malware can be a nightmare for any organization as it employs more advanced file-less techniques and delivers a bundle of follow-up malwares ranging from info-stealers and credential harvesters to crypto-miners and backdoors.
In a similar multiple trojan infection attack, researchers from Fortinet found a sample file of a dropper that was flagged suspicious. Upon research, it was found that the new malware had the capability to drop both RevengeRAT and WSHRAT on systems running Windows OS.