A malware downloader has been spotted using novel "Port Monitor" methods that have not been detected before in active campaigns.
Dubbed DePriMon, the malicious downloader is used to deploy malware used by Lambert -- also known as the Longhorn advanced persistent threat (APT) group -- which specializes in attacks against European and Middle Eastern companies.
Kaspersky estimates that Lambert has been active since at least 2008, whereas Symantec rounds up the year as closer to 2011.
The threat actors use a variety of vulnerabilities, from zero-day bugs including the CVE-2014-4148 Windows exploit and backdoor malware to infiltrate government, financial, telecoms, energy, aviation, IT, and educational sectors, prompting the belief that Lambert may be state-sponsored.
See also: New Buran ransomware-as-a-service tempts criminals with discount licenses
In 2017, Symantec said that at least 40 targets in 16 countries have been compromised by the attackers.
The APT uses various malware, assigned different colors by cybersecurity researchers, to conduct reconnaissance, steal data, and maintain persistence.
These include Black Lampert, an active implant used to connect to a command-and-control (C2) server for instructions; White Lampert, a passive, network-based backdoor; Blue Lampert, a second-stage malware payload; Green Lampert, an older version of the aforementioned payload; and Pink Lambert, a toolkit including a USB-compromising module and an orchestrator.
The initial Lampert ..
Support the originator by clicking the read the rest link below.
