Nexix Security Labs
Verblecon Malware Loader Used in Stealthy Cryptomining Attacks
Security researchers are warning of a new malware loader known as Verblecon, which is complicated and powerful enough for ransomware and espionage operations, albeit it is presently only employed for low-reward attacks.
Verblecon was discovered earlier this year, and due to the polymorphism nature of the code, the known samples had a low detection rate.
Flying under the radar
Verblecon was found in January this year by researchers from Symantec, a division of Broadcom Software, who observed it being utilized in assaults that installed cryptocurrency miners on infected devices.
According to the researchers, certain signs hint to the attacker wanting to obtain access tokens for the Discord chat software, but these intentions are in contrast to Verblecon's realistic potential for considerably more devastating attacks.
The virus is Java-based, and its polymorphic nature allows it to infiltrate vulnerable systems and go undetected in many circumstances.
"The fact that the file is polymorphic implies that the malware payload's code looks different each time it is downloaded due to encryption and obfuscation." To avoid detection by the security software, attackers frequently load malware in this manner." Symantec is a division of Broadcom Software.
Many of the antivirus engines on VirusTotal do not detect the Verblecon samples as malicious, according to the researchers' analysis of five Verblecon samples.
For example, the oldest sample was added to the database on October 16, 2021, before Symantec discovered it, and is now recognized by nine out of 56 antivirus engines.
Checking the environment for analysis
Symantec released a technical dissection of the malware and its capabilities, saying that the examined samples "were fully obfuscated, in the code flow, strings, and symbols," and that they could be based on publicly available code.
According to their findings, the virus runs various checks to see if it's running in a virtual environment or if it's being debugged.
The list of running processes is then compared to a predetermined catalog of files (executables, dependencies, and drivers) associated with virtual machine systems.
If all of the checks pass, the virus copies itself to a local directory (percent ProgramData, percent LOCALAPPDATA, Users) and creates files to serve as a loading point.
Verblecon, according to Symantec's study, tries to connect to one of the domains below on a regular basis, employing a domain generation algorithm (DGA) for a more comprehensive list:
hxxps://gaymers[.]ax/ hxxp://[DGA NAME][.]tk/
The malware's name is derived from the DGA, which is based on the current time and date and includes the string "verble" as a suffix.
The payload transmitted after the initial stage communication with the command and control servers (C2) "is disguised in a similar way to the other samples, and also contains comparable tactics to detect the virtualization environment," according to a technical analysis issued today by Symantec.
The payload's main function, according to the research, is to download and run a binary (.BIN file), which is subsequently encrypted on the infected host and injected into Windows percent SysWow64dllhost.exe for execution.
The eventual purpose of whoever is behind Verblecon deployments, according to the researchers, is to install cryptocurrency mining software, which is not in line with the work required to create malware of this sophistication.
Furthermore, the researchers believe the threat actor is utilizing it to steal Discord tokens in order to use them to advertise trojanized video game software.
According to their findings, Verblecon focuses on non-enterprise devices, which are rarely targeted by more sophisticated threat actors due to their low business margins.
Other reports have linked a Verblecon domain to a ransomware attack, according to Symantec, but they believe the overlap is due to infrastructure sharing with an unrelated attacker.
However, the evidence is ambiguous in that case, and the similarities are restricted to the following:
the inclusion of the word "verble" in the domain name
same obfuscation when downloading shellcode for execution
The researchers believe Verblecon is now being used by an actor who is unaware of the malware loader's full destructive capabilities.
They believe that if it falls into the hands of more competent crooks, it might be used for ransomware and even espionage attacks.
For more information visit us on: www.nexixsecuritylabs.com
To schedule an audit you can contact us at: email@example.com
Your Security | Our Concern