- Nov 3, 2019
- 413
Legion Loader is a new dropper that is already in wide use. It is distinctive by the wide range of malware it has been seen to drop, and its continuing development. The implication is that it is available for hire as part of the burgeoning malware-as-a-service black market.
While other droppers often become associated with particular malware -- just as Emotet is known to drop Trickbot, and Trickbot is known to drop Ryuk and Lockergoga ransomware (and more recently web skimming malware) -- Legion is already known to drop a wide range of malware. This includes infostealers such as Vidar, Predator and Raccoon; and a crypto stealer, a crypto miner and an RDP backdoor.
A Legion campaign has been detected, and the dropper used has been analyzed by researchers at Deep Instinct. The analysis was 'fairly straightforward': although it includes several sandbox and research tool evasions, it lacks string obfuscation
While other droppers often become associated with particular malware -- just as Emotet is known to drop Trickbot, and Trickbot is known to drop Ryuk and Lockergoga ransomware (and more recently web skimming malware) -- Legion is already known to drop a wide range of malware. This includes infostealers such as Vidar, Predator and Raccoon; and a crypto stealer, a crypto miner and an RDP backdoor.
A Legion campaign has been detected, and the dropper used has been analyzed by researchers at Deep Instinct. The analysis was 'fairly straightforward': although it includes several sandbox and research tool evasions, it lacks string obfuscation