Multiple-malware dropper ‘Legion Loader’ dissected

The insidious nature of difficult-to-detect, multiple strains of malware working in tandem to unleash complete obliteration is on full display with the dropper Legion Loader.

The quantity and variety of malware earned its reference as a “Hornet’s Nest,” explained report author Shaul Vilkomir-Preisman, an Israel-based malware & cyber intelligence expert at Deep Instinct, which said it recently prevented a malicious dropper from infecting the customer’s environment.

The campaign, which focused simultaneously on both U.S. and European targets, is “a grab-bag of multiple types of info-stealers, backdoors, a file-less crypto-currency stealer built into the dropper, and occasionally a crypto-miner,” wrote Vilkomir-Preisman.

After previously discovering similar characteristics in several other network intrusions and emerging-threats rule-sets, Deep Instinct dubbed the dropper “Legion Loader,” which it believes is even more valid with this latest attack, which smacks of “a dropper-for-hire campaign” for its volume and variety, uncommon in the general hacking landscape.

The dropper serves as “a classic case-in-point of how even a relatively low-sophistication malware can become a security nightmare for an organization,” Preisman said, adding that Legion Loader employs more advanced file-less techniques and delivering a myriad of follow-up malware ranging for info-stealers and credential harvesters to crypto-miners and backdoors.

Written in MS Visual C++ 8, Legion Loader appears to be under active development. The dropper’s specific modules include several VM/Sandbox (VMware, VBOX, etc.) and research-tool evasions (Common debuggers, SysInternals utilities, etc.). 

The attackers’ modus operandi becomes evident because when combined there’s no evidence of string obfuscation, removing the ability for straight-forward analysis.

Despite the evading typical antivirus detection, Deep Instinct tracked a capability for the delivery of two to three additional malware executables, including a built-in file-less crypto-currency stealer and browser-credential harvester.

When operating properly, the Legion Loader takes control of the subsequent command-and-control (C&C) server, which looks for an expected response. If it does not get the code, then the scheme terminates to further avoid detection.

Deep Instinct notes that its interest was piqued by the sheer volume and variety of malware unleashed by this tactic. The majority of this information-stealing malware – Vidar, Predator the thief, and Racoon – is readily available for purchase from dark-net marketplaces. Legion Loader also features a built-in crypto-currency stealer, including wallets and harvested credentials and a remote desktop protocol (RDP) backdoor that shows up as a Nullsoft Scriptable Install System (NSIS) installer. Other executables found with the dropper disguise themselves as .xml but is really .DLL files.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.