According to TEHTRIS, the ongoing campaign began on December 19, 2024, and has since spread globally, with Brazil emerging as the most affected country, accounting for around 10% of reported cases.
LegionLoader primarily infects systems through drive-by downloads, where users unknowingly download malicious software from compromised websites.
Cybercriminals behind this campaign frequently leverage illegal download platforms and unsecured web pages, which are quickly taken down after redirecting victims to Mega cloud storage links containing a single ZIP file. These ZIP archives house a 7-Zip password-protected file, making it difficult for security tools to scan the contents.
To further deceive users, a separate image file displays the password required for extraction, enticing them to execute the malware.
Once extracted, LegionLoader is deployed as an MSI (Microsoft Installer) file, requiring user interaction to execute. TEHTRIS researchers found that antivirus detection rates for these MSI files range between 3 and 9 out of 60, indicating the malware’s ability to evade traditional security measures.
The MSI file also includes two key anti-sandbox mechanisms: a fake CAPTCHA prompt to prevent automated analysis and a virtual environment detection feature using Advanced Installer. These obstacles make it challenging for security researchers to analyze the malware in controlled environments.
Upon execution, LegionLoader extracts multiple files into the system’s %APPDATA% directory, including clean DLLs, executables, and a password-protected archive containing the primary payload.
The malware then uses UnRar.exe to extract a DLL file, which is sideloaded using obsffmpegmux.exe to execute the next stage of the attack. Notably, the obs.dll payload is crafted to evade detection by security tools. TEHTRIS analysis found that most of its exports are empty, while the few containing code appear intentionally misleading, likely to slow down forensic investigation.
Further examination using BinDiff revealed that while different obs.dll samples were structurally identical, variations existed in their second-stage payloads. During dynamic analysis, researchers observed shellcode decryption, leading to the execution of another malicious component. This secondary stage communicates with hardcoded command-and-control (C2) servers, though all identified C2 domains were inactive at the time of analysis, preventing further insights into the malware’s final objective.
If all infection stages are completed, LegionLoader attempts to execute a final payload using rundll32.exe. The malware downloads an additional file, places it in a randomly named directory under %TMP%, and launches it as svchost.exe. Given the use of rundll32.exe, researchers suspect the final payload is another malicious DLL, though its specific function remains unknown.
To protect against LegionLoader, security experts advise avoiding software downloads from unverified sources and implementing behavior-based detection strategies. These proactive measures can help mitigate the risks posed by evolving malware threats.
