Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon

Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon

ESET researchers have discovered a new downloader with a novel, not previously seen in the wild installation technique

DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name, that’s why we have named it DePriMon. Due to its complexity and modular architecture, we consider it to be a framework.

According to our telemetry, DePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.

Some of the domain names used as C&C servers contain Arabic words, which gives an indication of a region-specific campaign. However, DePriMon deserves attention beyond its targets’ geographical distribution: it is carefully written malware, with lots of encryption that is used properly.

To help defenders stay safe from this threat, we’ve thoroughly analyzed this newly discovered malware, focusing on the downloader itself. Because we’re missing initial stage(s), which we will refer to here as “the first stage”, we don’t know the initial distribution and compromise vector. What kind of final payload is used in the attacks is another question that remains to be answered.

However, it should be noted that, in a few cases, DePriMon was detected with ColoredLambert malware on the same computers within a short time frame. ColoredLambert is used by the Lamberts (aka Longhorn) cyberespionage group and linked to the Vault ..