Saturday, April 13, 2024
HomeSECURITYnew JavaScript dropper PindOS threatens the security of foreign companies

new JavaScript dropper PindOS threatens the security of foreign companies


“If you were a man…”: the new PindOS JavaScript dropper threatens the security of foreign companies

Russian-speaking hackers are clearly involved in the production of malware with such an original name.

Researchers from the company deep instinct discovered the new kind JavaScript-dropper that delivers malware to infected computers Bumblebee And IcedID.

The researchers gave the dropper the name “PindOS”, which is the result of a transliteration of another word used in Russia and the CIS countries to disparage US citizens. Of course, the researchers did not come up with such a name themselves, but took it from the “User-Agent” string that the malware uses to download the payload.

The dropper code also contains a lot of comments in Russian, which also quite thickly hints at the origin of the attackers.

Bumblebee and IcedID are downloaders that serve as a vector for other types of malware, including ransomware. Bumblebee was discovered in March 2022 and is commonly associated with the Conti group. It is a replacement for another loader called BazarLoader. IcedID is a modular banking malware designed to steal financial information. It has been around since 2017, but has recently been reclassified as a malware delivery service.

The PindOS program uncovered by the researchers is a relatively simple dropper consisting of a single “exec” function that has four parameters:

  • “UserAgent” – user agent string to determine the type of payload;
  • “URL1” is the first download address;
  • “URL2” is the second download address;
  • “RunDLL” is an exported payload call function.

When executed, the dropper tries to download the payload from URL1 first. If that fails, it goes to URL2. The payload is saved to the directory “%APPDATA%/Microsoft/Templates” as a file with the extension “.dat” with a name consisting of 6 random numbers. The downloaded payload is executed using rundll32.exe, but in case of difficulties it can also use PowerShell.

“The retrieved payloads are pseudo-randomly generated on demand, resulting in a new hash sample being generated each time they are retrieved,” the researchers said.

Whether PindOS will continue to be used consistently by the actors behind the spread of Bumblebee and IcedID remains to be seen. If this “experiment” proves successful for each of these “companion” malware operators, it could become a permanent tool in their arsenal and become popular with other attackers.

Source link


Please enter your comment!
Please enter your name here

Most Popular