Rewterz Threat Alert – Legion Loader’s Nest of Malware

Severity

Medium

Analysis summary

A dropper discovered by Deep Instinct was observed to be distributing a variety of different types of malware to victim systems. The initial loader, once executed on a system, establishes a connection with its C2 server and subsequently performs an IP check. After that, a series of executable are downloaded from either the C2 server itself or a file storage service using PowerShell. Most of the malware is commodity malware, specifically infostealers such as Vidar, Predator the Thief and Racoon stealer. The loader also includes a built-in cryptostealer and a custom RDP backdoor. The cryptostealing functionality begins with searching the system for evidence of crypto-currency related data. If found, PowerShell is used to download and install a DLL stealer, which in turn installs a browser credential harvester. After harvesting wallet files and both cryptowallet and browser credentials from the system, the data is uploaded to the C2 server. The aforementioned RDP backdoor comes in the form of an NSIS installer used to execute a PowerShell script. A UAC bypass is performed and then the PowerShell code used to create the RDP backdoor is saved to an DLL file masquerading as XML that is registered as a service.

Impact

• Exposure of sensitive information 
  
• Credential theft

Indicators of Compromise

SHA-256

• 056a2eb3925ea9a3933ed5c8e1b482eae5a098f013b1af751ec9b956edca12e1
• 0bae194c23b5fe3d73ccdf8267287c6e8fb66ed17cbdcce36c0da7583e8e6b49
• 0ce45db58b6f12dc8cfc4d9d94e0ed8f596a9175a804b24817f8b8f24d1ea72e
• 0ce93f4cb43f21920d1fc0b04122327cc12838ba909d70f58bb58fcc661482c8
• 0e22f00c71588b2cc1206a01ae11e5cccc70a2cef7d00317be9bd97c73249a3f
• 0e355775044e0618395724e91820f979fd792149a5c993b74db02d3ca27f18cb
• 0f12ea3082491a32a67086f12657fcb48d740cab22a568b25eb16635ceb4b9a9
• 10084850b03a65bc94899e41680e6207ab71c6b96a7bf65f6086fbba41cc7b5c
• 14494be156326c7c7ca62b7cdf60317e01792136d9fc0c83247a7ee2eeab6c00
• 1725a07286362ca6cb164b0f297bc4cea0c567d13b477c069ed3cea190e89090
• 1875678d1097f47c742b09428f570f65a834d1f81e06e336535bfa62633e562c
• 1c74add22536cd48afd35130b5c8e2904af5485aa0ee46aa9af9cb1793ab3bf4
• 1e0ca8506a8c6dece660e3508463cb2b4b7609bb8c42307a9ad6605ed5aec62f
• 2a4108922238e45a94bb7a16fd40db1f5b590ed9ba2f777eb67787488eecb1d7
• 2a4c9b7f6b74a6bbe80663c9fadb63f31a558ff396a174b75830547657e24dfb
• 2ddea6aac519844a3c3ea6faaca267b67cbc853b8708a9523d9aedab0e2086b4
• 3078f6416fb334304ad456b97bc7b2322cc3e9419f4dbbc7d0dd2a6c98be0061
• 30ee0ef8b2f6820f9a2bfd6622a80c9fa22a9a185a3e453c9393fa9eeaa117be
• 319fb28bdad36a09e693cc97649670c3fbd39df1cfec4ee20385e23092a97e4c
• 3a46bc6ba261a1404db05fceec9989912120ad68ecf1b1886134070f94e2246f
• 3f987e48220a80724d1de41d4bfb1d365ab9986a700f49e8acc7b4d53f5e6471
• 482c26795c473fd28033bd1009e8315c3df4edb3266742e890b928836e6f08e6
• 4c09f6650da6686ca72c43e998fbbd2ab0387f666345a0ca40910bf53d0d9927
• 4c5d3081981d5400f18cecc96489dabb987b8390c36b4ebc447b5cac37bb1a88
• 4f523cbbce05aaf69ca59aabb554125f9c8dbb44c95d715679516160c949fc23
• 4f71844ecf1f290983515abb75804e6a6615a37536acbd10f267679feecaa9fd
• 562e50801d7359bd5348a9b1d38f325cadb9ab9e298ff89c62e2d999ff826ce5
• 615626311e5585ca29b9d589fd213e8e1195f9c99c073e5aaf2bda6eeeb896f7
• 6532098adf0a7e43c46db0cb417a6e319b71764f613821b14ff247c9fb2efee7
• 69965fc0fb3884998567ec5e1693da58243248d44f9f8db6f11382566c6cd42f
• 70b636f7d49610856bf6abadb156697bd5e362da4962540133e88586e935c471
• 7709bb0c90a9cd174687ccf0911ed2ffeee18de4d9b78510a7530034b9141db9
• 793737c570e27b085ddbcd28c87d22b4ae0d3a6d092357705793cdf9678016cf
• 7ab3bb1e2783b8ddbb5581cde1cfb97fdf2c105ed0063a08abe2c2255d703315
• 811bded1035e8073b23470dd3d77ca85385a594a46dabc5892bb878e7148a0ac
• 84f6be18bb40cb9a3f08186e200492858b3265070629f917aa30d22ae125a712
• 8b763d5245d522987d5fba368b610147b7b602b0219fc31b6f3a5c90b37c173e
• 8ff13ca75a4d04587eebf32b66becfe90280690407d00c19eb7aaddc249f83cf
• 928cea1bc5bf99b0650c2f57133694d017f32c2337ad1fe50688bb3245041659
• 955ff926d734df2b9c7dd300fcdca0f3f2117b2d82719066a3c06041639c9c03
• a153db1039abdc3c53db64939cde3b3da2fc6b04cdb5e02de67ef7ab837e5aac
• aa2b785cc249d4e41f5133cefbdb3da5484e63a18090fcc70da09dc5f1c7119b
• abdf3e9c36603953185d9ae75eef134941ab5c2e8407194cfe785cb95e254424
• acc572e60a1b438236ed6eed53f1a173e47ca74841f43af30320e6282060dd0a
• adb47a69e4be076b7c625062fd33ed4d239ce9d5e38f233a6bb5c9b234121458
• b165dce18dd17ead4984c506bb9d2861b4ac07775d6223735802e7b372211f80
• b198bbc48a4a8bb2d8a393db390e31b317a7b1637215bc9e8e2c2ef2d23bd12f
• b79a4f6154e462de4de7c78373520d54388c0324d12e3c93dd50d637127efe35
• b8db44f047337d9352ea04d6e4029c8817a6b5fc96c3b109e9522d615bc6580e
• bb39a5762493cd07009fe7495f33099df3d350f484cc0e8242ebdc173a0cf3a9
• bcfb71a0fbebf4dc471e4e4de8a2326eee4cc2676e307a1eb4e0e9f3d254c2ee
• c6469fa0c5fcdddb53409ac98eca5a315d8230c7dd074437d61c9008d76e7d67
• cbca8246cdf5bedad9bf98414211f26b1f46bbfbacd108b52cdb4f1a1a2d1cea
• cd9fd3eae8fa647d3c10734702e7c8aa812c0ec1e95fb9d54e1dd3900f24be97
• d21ebbcbd03f3bd1b185a6d933e6865a63914aacdeed3304610f5180cf9014b2
• d3e9a49b228f3f873b95990fac665279b75e17bbf7288c2d5e3d114240d96209
• dcf61acaebeac3b4751fbcbc946524cbe709cdfed1b67fe7c4421e889296171d
• e27a5fe1c99fd2cd91fa0154fbbce0ff0c5d2de363038a839089054b2934dab4
• e5372c3eeed59074c6346702c45b8ace7299a42ccce7cb7791b00f9fc8c4ca36
• e71579ea4b6f003d359db2c53c224514aec83a70b61a5d3648a7647e4b3d2b81
• eb33d6e5f19ae156e179a05382e42c7a5f576cbf73d27edf586d80412c241629
• ee0a4e00992382159296ee165789910fc41b1bfebd702a724e783300e72ba027
• f1ac98b76aec34e05930c0fe80c89c38edf3cd34657ed17bc414a6dbbd6553c3
• f3674f3a2a9e24fba71e0c4db02d150128983d2199c62f3d43e7d2cf3186da93
• f8a69b36bd8df897f9cf9895f77b57a98233b5a6819b26ea579efc63dd403a9f
• faa351658d25453883b47cc1aa6b7e530a375649155a73ed75073fb0b5edb120
• fc19702f1749dc163c927d6f2016a71a867f66eb33a77f36beb566366c08c775
• ff888f5eeb702d37e899c1d2d5c4b273edcc3e4e35bf8226014f4022fc9121a8

Remediation

• Block all threat indicators at your respective controls. 
  
• Always be suspicious about emails sent by unknown senders. 
  
• Never click on the links/attachments sent by unknown senders. 
  
• Always look for legitimate URL of the website you land in, when you click on the link via email.