A new breed of JavaScript dropper has been observed delivering next-stage payloads such as Bumblebee and IcedID.
Cybersecurity firm Deep Instinct tracks the malware as follows: PindOSthe “User-Agent” string contains the name.
Both Bumblebee and IcedID act as loaders and vectors for other malware (such as ransomware) on compromised hosts. A recent report from Proofpoint highlights that IcedID has abandoned its bank fraud capabilities in order to focus solely on malware delivery.
In particular, Bumblebee is a replacement for another loader called BazarLoader, believed to be by the now-defunct TrickBot and Conti groups.
A report released by Secureworks in April 2022 found evidence of cooperation between multiple actors in the Russian cybercrime ecosystem, including Conti, Emotet and IcedID.
Deep Instinct’s analysis of the PindOS source code found comments in Russian, increasing the likelihood of continued collaboration between electronic crime groups.
Described as a “surprisingly simple” loader, this loader is designed to download malicious executables from remote servers. It uses two URLs, one of which acts as a fallback in case the first URL fails to fetch her DLL payload.
“Because captured payloads are pseudo-randomly generated ‘on demand,’ a new sample hash is generated each time a payload is captured,” said security researchers Shor Virkomir Preismann and Mark Weizmann. said Mr.
The DLL file is finally launched using rundll32.exe, a legitimate Windows tool for loading and executing DLLs.
“It remains to be seen whether the actors behind Bumblebee and IcedID will adopt PindOS permanently,” the researchers concluded.
“If this ‘experiment’ is successful for each of these ‘companion’ malware operators, it could become a permanent tool in their arsenal and gain popularity among other threat actors.”
