Attackers have targeted developers having Github repositories with a data-stealing malware called Dimnie. The malicious code includes keylogging features and modules that capture screenshots.
The Dimnie malware was spotted by researchers at Palo Alto Networks in mid-January when an unknown number of developers were targeted with emails purporting to be job offers. The malicious messages used weaponized .doc files containing an embedded malicious macro that executed a PowerShell command that would start the attack by downloading and executing the malicious code.
The Dimnie data stealer has been in circulation since 2014 targeting primarily Russian-speaking targets. The researchers have no idea how widespread the malware based campaign was, the motivation for the attack is also a mystery. Probably the attackers were searching something of interest among the huge number of projects hosted on the platform.
“Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities.” reads the analysis published by Palo Alto Networks. “Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.”
Experts believe that the attack was carried out by a “relatively unknown threat” outside of the Russian-speaking world.
Dimnie disguised the HTTP requests to the command and control server structure in a GET request to a defunct Google service called Google PageRank. The researchers discovered an IP address in a DNS lookup request preceding the GET request was that the real destination IP for the follow-up HTTP request.
“Sending the request to an entirely different server is not complicated to achieve, but how many analysts would simply see a DNS request with no related subsequent traffic? That is precisely what Dimnie is relying upon to evade detections,”
The attackers used a similar technique to exfiltrate data, the request, in fact, is disguised in a POST request to Google.
“Data exfiltration by the associated modules is performed using HTTP POST requests to another Google domain, gmail[.]com. However, just like the module downloader portion of the malware, these HTTP requests are hardcoded to be sent to an attacker controlled server. Again, Dimnie attempts to blend in by looking at least somewhat legitimate, although the data exfiltration traffic is far less convincing than that of the module downloads.” continues the analysis.
Dimnie belongs to the category of fileless malware, the researchers discovered nine modules were discovered, including some that extract system data enumerate running processes, keyloggers, screenshots and a self-destruct module that deletes all files on the local drive.
The command and control infrastructure used in the attacks is still active and according to the experts, Dimnie continues to be used against Russian-speaking targets.
“Multiple factors have contributed to Dimnie’s relatively long-lived existence. By masking upload and download network traffic as innocuous user activity, Dimnie has taken advantage of defenders’ assumptions about what normal traffic looks like. This blending in tactic, combined with a prior penchant for targeting systems used by Russian speakers, likely allowed Dimnie to remain relatively unknown.”
(Security Affairs – Dimnie malware, GitHub)