Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label IcedID Malware. Show all posts

New PindOS JavaScript Dropper Deploys Bumblebee, IcedID Malware

A newly identified malicious tool dubbed PindOS has been uncovered by security researchers. This particular tool functions as a JavaScript-based malware dropper, specifically designed to retrieve subsequent-stage payloads responsible for delivering the final payload utilized by attackers. 

The delivered payloads are associated with notorious malware strains such as Bumblebee and IcedID, commonly employed in ransomware attacks. In the past, Bumblebee and IcedID have been observed as effective means of deploying various types of malware, including ransomware, on compromised computer systems. 

These two malware strains have gained notoriety for their involvement in facilitating cyberattacks and enabling unauthorized access to targeted machines. Now, the newly discovered PindOS emerges as a JavaScript-based malware dropper, serving as a delivery mechanism for these well-known threats. 

Its primary purpose is to fetch subsequent-stage payloads that ultimately deliver the attackers' final payload, which often leads to devastating consequences for the targeted systems and their owners. According to a recent report by cybersecurity firm DeepInstinct, the newly discovered PindOS malware dropper demonstrates a straightforward yet effective functionality. 

It encompasses a single function accompanied by four parameters, enabling the download of the desired payload. This payload can either be the notorious Bumblebee malware or the IcedID banking trojan, which has been repurposed as a malware loader. Initially presented in an obfuscated form, the JavaScript dropper, upon decoding, exposes its surprisingly simplistic nature. 

Its configuration includes the provision to specify a user agent for downloading a DLL payload. Additionally, it incorporates two designated URLs, namely "URL1" and "URL2," where the payload is stored. Furthermore, the configuration allows for the definition of a RunDLL parameter, which dictates the exported function within the payload DLL to be executed. 

As highlighted by the researchers, an interesting observation about PindOS is its utilization of a redundant second URL parameter. This redundancy serves as a fallback mechanism when the initial attempt to retrieve the payload from the first URL fails. In such cases, PindOS employs a combination of PowerShell commands and Microsoft's rundll.exe. Adversaries often leverage rundll.exe as a common method for launching malicious code. 

Therefore, PindOS capitalizes on this frequently exploited technique to execute the payload and accomplish its malicious objectives. Upon successful retrieval, PindOS proceeds to download the payload to a specific location: "%appdata%/Microsoft/Templates/". 

The payload is saved as a DAT file, with a randomized name consisting of six numbers. Notably, the malware employs a tactic known as the "on-demand" generation of malware samples. This strategy ensures that each sample possesses a distinct hash when obtained, thereby evading signature-based detection mechanisms commonly employed by security systems to identify known threats.