ESET discovers malware using a novel installation technique previously unseen in the wild

ESET researchers have discovered a new downloader with several stages and many nontraditional techniques that registers itself as a default print monitor. They named it DePriMon.

BRATISLAVA – ESET researchers, investigating a cyberattack with targets in the Middle East, discovered a technically interesting downloader. Among many of its nontraditional techniques, one stands out: The malware registers a new local port monitor under the name “Default Print Monitor.”

This earned the downloader the name DePriMon. Due to DePriMon’s complexity and modular architecture, ESET researchers consider it a framework.

According to ESET telemetry, the DePriMon malware has been active since at least March 2017. It was detected in a private company based in Central Europe, and on dozens of computers in the Middle East. In a few cases, DePriMon was detected along with the ColoredLambert malware, which is known to be used by the Lamberts cyberespionage group (also known as Longhorn) and linked to the Vault 7 leak.

ESET researchers find DePriMon to be an unusually advanced downloader whose developers put extra effort into setting up its architecture and crafting the critical components. Thus, it deserves attention beyond its targets’ limited geographical distribution and possible relation to an infamous cyberespionage group.

DePriMon is downloaded to memory and executed directly from there as a DLL file using the reflective DLL-loading technique; it is never stored on the disk. It has a surprisingly extensive configuration file with interesting elements, its encryption is properly implemented, and it protects its C&C communication effectively. As a result, DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and to collect some basic information about the system and its user along the way.

To help defenders stay safe from this threat, ESET researchers have thoroughly analyzed this newly discovered malware, focusing on its installation technique, which has been categorized in the MITRE ATT&CK knowledgebase as “Port Monitors,” under both Persistence and Privilege Escalation tactics.

As the MITRE ATT&CK knowledgebase doesn’t list any real-world example of this technique, ESET researchers believe that DePriMon is the first example of the “Port Monitors” technique ever publicly described.

For more details, read the blog post, Registers as a Default Print Monitor but is a malicious downloader. Meet DePriMon, on WeLiveSecurity.

 

About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

 

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defences in realtime to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centres worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit https://www.eset.hk/ or follow us on Facebook.