- Jul 22, 2014
- 2,525
The camouflage capabilites of the Dimnie malware family made it so that researchers didn't spot if for a long time
For more than three years one malware family managed to fly under the radar of researchers thanks to its stealthy command and control methods.
According to researchers from the Palo Alto Networks, the malware family, dubbed Dimnie, was discovered in mid-January when it was in the middle of a campaign targeting open-source developers via phishing emails. It seems that emails contained a malicious .doc file that contained embedded macro code set to execute a PowerShell command to download and execute another file.
Palo Alto Networks says it observed samples of this malware as far back as early 2014, with identical command and control mechanisms. "The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign," researchers explain in a post.
Stealthy job
By looking at the malware's communication with the C&C infrastructure, researchers determined that it uses HTTP Proxy requests to the Google PageRank service, which has been shut down last year. Because the absolute URI in the HTTP request is linking to a non-existent service, the server isn't acting as a proxy, and this is simply a way to camouflage itself.
Researchers concluded that the malware's main functionality appears to be stealing information and reconnaissance. The modular framework, however, allows hackers to use a wider range of capabilities that have not been observed during analysis.
“Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown,” Palo Alto researchers conclude.
some good news ....new sample VT 35/56
Antivirus scan for 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e at 2017-03-30 15:47:37 UTC - VirusTotal
payload
Antivirus scan for 3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22 at 2017-03-30 20:39:40 UTC - VirusTotal
For more than three years one malware family managed to fly under the radar of researchers thanks to its stealthy command and control methods.
According to researchers from the Palo Alto Networks, the malware family, dubbed Dimnie, was discovered in mid-January when it was in the middle of a campaign targeting open-source developers via phishing emails. It seems that emails contained a malicious .doc file that contained embedded macro code set to execute a PowerShell command to download and execute another file.
Palo Alto Networks says it observed samples of this malware as far back as early 2014, with identical command and control mechanisms. "The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign," researchers explain in a post.
Stealthy job
By looking at the malware's communication with the C&C infrastructure, researchers determined that it uses HTTP Proxy requests to the Google PageRank service, which has been shut down last year. Because the absolute URI in the HTTP request is linking to a non-existent service, the server isn't acting as a proxy, and this is simply a way to camouflage itself.
Researchers concluded that the malware's main functionality appears to be stealing information and reconnaissance. The modular framework, however, allows hackers to use a wider range of capabilities that have not been observed during analysis.
“Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown,” Palo Alto researchers conclude.
some good news ....new sample VT 35/56
Antivirus scan for 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e at 2017-03-30 15:47:37 UTC - VirusTotal
payload
Antivirus scan for 3f73b09d9cdd100929061d8590ef0bc01b47999f47fa024f57c28dcd660e7c22 at 2017-03-30 20:39:40 UTC - VirusTotal
Last edited:
