PindOS Dropper Powerful JavaScript Distributes Bumblebee and IcedID Malware


June 23, 2023Ravie LakshmananMalware / Cyber ​​Threats

PindOS JavaScript Dropper

New strains of JavaScript droppers have been observed delivering next-stage payloads such as Bumblebee and IcedID.

Cybersecurity firm Deep Instinct tracks the malware as PindOSthat contains a name in it”User agent” Suite.

Both Bumblebee and IcedID function as loaders, acting as vectors for other malware on the compromised host, including ransomware. A recent report from Proofpoint highlighted IcedID’s abandonment of banking fraud features to focus solely on delivering malware.

Beein particular, was a replacement for another loader called BazarLoader, which was associated with the now-defunct TrickBot and Conti groups.

Cyber ​​security

A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including Conti, Emotet, and IcedID.

Analysis of the PindOS source code by Deep Instinct shows that PindOS contains comments in Russian, raising the possibility of continued partnerships between e-crime groups.

PindOS JavaScript Dropper

Described as a “very simple” loader, it is designed to download malicious executable files from remote servers. It uses two URLs, one of which serves as a fallback if the first URL fails to fetch the DLL payload.

“The fetched payload is pseudo-randomly generated ‘on demand’ which generates a new sample hash each time the payload is retrieved,” security researchers Shaul Vilkomir-Preisman and Mark Vaitzman said.

DLL files are finally launched using rundll32.exea legitimate Windows tool to load and run DLLs.

“Whether PindOS is adopted permanently by the actors behind Bumblebee and IcedID remains to be seen,” the researchers concluded.

“If this ‘experiment’ is successful for each of these ‘companion’ malware operators, it may become a permanent tool in their arsenal and gain popularity among other threat actors.”

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button