Security researchers discovered a new malicious tool they named PindOS that delivers the Bumblebee and IcedID malware typically associated with ransomware attacks.
PindOS is a simple JavaScript malware dropper that appears to be built specifically to fetch the next-stage payloads that deliver the attackers’ final payload.
Simple JavaScript malware dropper
In a report from cybersecurity company DeepInstinct, researchers note that the new PindOS malware dropper has only one function that comes with four parameters for downloading the payload, be it Bumblebee or the IcedID banking trojan that turned malware loader.
The JavaScript dropper comes in obfuscated form but once decoded, it reveals how “surprisingly simple” it is.
Its configuration includes the option to define a user agent to download a DLL payload, two URLs where the payload is stored (“URL1“ and “URL2“), and the RunDLL parameter for the payload DLL exported function to call.
“When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe” – DeepInstinct
The researchers note that the second URL parameter is a redundancy that PindOS uses when it cannot retrieve the payload from the first URL, and then tries to execute it by combining PowerShell commands and Microsoft’s rundll.exe, which adversaries use frequently to launch malicious code.
PindOS downloads the payload to “%appdata%/Microsoft/Templates/” as a DAT file with six random numbers as a name.
Malware samples are generated “on-demand,” the researchers say, so each of them has a different hash when retrieved. This is a common tactic to avoid signature-based detection mechanisms.
However, the samples are written to disk and in the case of Bumblebee this is a step back from executing them memory, thus making them susceptible to detection, despite the different hash, due to other markers associated with the malware.
Low detection rate
Despite its simplicity, PindOS enjoyed very low detection rates when it first appeared. On May 20, less than five antivirus engines on Virus Total flagged the JavaScript as malicious.
Although most of the samples that DeepInstinct discovered are now detected by at least two dozen products on Virus Total, some of them continue to be invisible to most engines, with as few as six to 14 of them reporting the malicious code.
At the moment it is unclear if threat actors are just testing how PindOS fares against security products or if they plan to include it in their toolkit.
But given the latest detection rates, it has shown that it can slip in quietly and drop payloads. Even if Bumblebee or IcedID operators don’t adopt it, PindOS may become more popular with other threat actors.
Source: www.bleepingcomputer.com
