The new DePriMon downloader was used by the Lambert APT group, aka Longhorn, to deploy malware.
According to a report published by Symantec in 2017, Longhorn is a North American hacking group that has been active since at least 2011. The group is very sophisticated and used zero-day exploits and complex malware to conduct targeted attacks against governments and organizations in almost every industry, including financial, energy, telecommunications, and education, aerospace.
The targets were all located in the Middle East, Europe, Asia, and Africa.
In 2017, Symantec speculated that at least 40 targets in 16 countries have been compromised by the threat actors.
One of the malware in the arsenal of the group is the Black Lampert, it is an active implant used to control the infected system. Other malware in the arsenal
According to ESET, the DePriMon has been active since at least March 2017, it was found on computers in a private company in Central Europe, and at dozens of computers in the Middle East.
The domain names used as C&C servers contain Arabic words, suggesting that the attackers’ campaign aimed at targets in the Middle East.
The DePriMon is downloaded to memory and executed as a DLL using reflective DLL techniques, it is registered with a key and value, which requires administrator rights.
The registered DLL will be loaded at system startup by the spoolsv.exe with SYSTEM privileges.
“Both DePriMon’s second and third stages are delivered to the victim’s
“The described installation technique is unique. In principle, it is described in the MITRE ATT&CK taxonomy as “Port Monitors”, under both Persistence and Privilege Escalation tactics. We believe DePriMon is the first example of malware using this technique ever publicly described.”
The malware leverages the Microsoft implementation of SSL/TLS, Secure Channel, for C2 communication. ESET researchers pointed out that the authors have put significant effort into encryption in order to prevent the analysis of the DePriMon malware.