Mutating Verblecon malware in illicit cryptomining ... so far
Symantec team warns ransomware and spying could be next
Internet fiends are using a relatively new piece of a malicious code dubbed Verblecon to install cryptominers on infected computers.
The mutating malware attempts to evade detection by antivirus tools and similar defenses, meaning bad news all round if the software was used to deploy more destructive payloads — and that the crooks using Verblecon may not realize the power of the loader's full potential.
"The activity we have seen carried out using this sophisticated loader indicates that it is being wielded by an individual who may not realize the capabilities of the malware they are using," Symantec's threat hunting team warned today.
"However, if it fell into the hands of a more sophisticated actor the potential is there for this loader to be used for more serious attacks, including potentially ransomware and espionage campaigns."
Security analysts at Symantec, now a division of Broadcom Software, say they discovered Verblecon in January being used to install miners and potentially steal access tokens for chat app Discord.
The Java-based malware uses server-side polymorphism, which helps it evade detection. This is a sneaky technique that, through encryption and obfuscation, allows Verblecon to change its appearance to security scanners every time it's downloaded, potentially fooling them into thinking it's harmless.
Symantec noted that the malware samples its researchers analyzed "were fully obfuscated, in code flows, strings, and symbols," though added the samples may use publicly available code.
- Cryptominers aren't just a headache – they're a big neon sign that Bad Things are on your network
- Remember Norton 360's bundled cryptominer? Irritated folk realise Ethereum crafter is tricky to delete
- Sophos: Log4Shell would have been a catastrophe without the Y2K-esque mobilisation of engineers
- IcedID malware, in the hijacked email thread, with the insecure Exchange servers
First the sneaky Windows malware runs a series of checks to see if it's being debugged, or being opened on a virtual machine or in a sandbox environment, "which would indicate it is likely being opened on a security researcher's machine," the researchers wrote. Additionally, it obtains a list of running processes, checks those against a set list, and looks for files that include executables and device drivers.
Once it clears all of these hurdles, and appears satisfied to be running on an actual potential victim's PC, Verblecon executes the following command:
reg query "HKU\S-1-5-19"
And then it creates a file to use as a jumping-off point to run more code. The security analysts observed the malware attempting to connect to these URLs:
Where DGA_NAME is algorithmically generated from the time and date. The Symantec team also noted that the attacker may be using legitimate Cloudflare infrastructure to host some of the command-and-control (C2) servers. Once it starts communicating with the C2 servers, the malware downloads an obfuscated payload from this URL:
And the final payload contains this URL that points to a configuration file for a cryptocurrency miner:
While illicit cryptocurrency mining on victims' machines appears to be the goal of the malware, "this would appear to be a relatively low-reward goal for the attacker given the level of effort that would have been required to develop this sophisticated malware," according to Symantec.
The threat researchers also noted that some of the obfuscated strings refer to Discord clients pathnames, and they suspect the miscreants are stealing Discord tokens so they can use them to advertise trojanized gaming apps.
They said it's unlikely that this campaign is being used to deploy ransomware because most of the infections occurred on non-enterprise PCs. However, previous reports did connect related domains to one ransomware incident, and Symantec said the similarities between that one and the new campaign include:
- The use of "verble" in the domain name
- The downloading of shellcode for execution
- Similar obfuscation
So while it's possible that cyber-criminals are using Verblecon to drop ransomware, Symantec said it's more likely that this nefarious activity is being carried out by an inexperienced actor who doesn't realize the malware's capabilities. Of course, this could all change should it fall into more sophisticated criminals' hands. ®