ESET discovers malware using a novel installation technique previously unseen in the wild

Next story

ESET researchers have discovered a new downloader with several stages and many nontraditional techniques that registers itself as a default print monitor. They named it DePriMon.

BRATISLAVA
– ESET researchers, investigating a cyberattack with targets in the Middle East, discovered a technically interesting downloader. Among many of its nontraditional techniques, one stands out: The malware registers a new local port monitor under the name “Default Print Monitor.”

This earned the downloader the name DePriMon. Due to DePriMon’s complexity and modular architecture, ESET researchers consider it a framework.

According to ESET telemetry, the DePriMon malware has been active since at least March 2017. It was detected in a private company based in Central Europe, and on dozens of computers in the Middle East. In a few cases, DePriMon was detected along with the ColoredLambert malware, which is known to be used by the Lamberts cyberespionage group (also known as Longhorn) and linked to the Vault 7 leak.

ESET researchers find DePriMon to be an unusually advanced downloader whose developers put extra effort into setting up its architecture and crafting the critical components. Thus, it deserves attention beyond its targets’ limited geographical distribution and possible relation to an infamous cyberespionage group.

DePriMon is downloaded to memory and executed directly from there as a DLL file using the reflective DLL-loading technique; it is never stored on the disk. It has a surprisingly extensive configuration file with interesting elements, its encryption is properly implemented, and it protects its C&C communication effectively. As a result, DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and to collect some basic information about the system and its user along the way.

To help defenders stay safe from this threat, ESET researchers have thoroughly analyzed this newly discovered malware, focusing on its installation technique, which has been categorized in the MITRE ATT&CK knowledgebase as “Port Monitors,” under both Persistence and Privilege Escalation tactics.

As the MITRE ATT&CK knowledgebase doesn’t list any real-world example of this technique, ESET researchers believe that DePriMon is the first example of the “Port Monitors” technique ever publicly described.

For more details, read the blog post, Registers as a Default Print Monitor but is a malicious downloader. Meet DePriMon, on WeLiveSecurity.

About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedInFacebook and Twitter.