Researchers have revealed a new malware campaign that they dub the Hornet’s Nest. What makes this attack distinguished is the deployment of six different malware variants in one go. These include crypto-miners, info stealers, crypto-stealer, and a backdoor.
Though the campaign doesn’t appear as sophisticated compared to say a zero-day, it does, however, deploy six malware exploits in a single attack with the aim of exploit.
The malware is targeting organizations in the U.S. and Europe. It includes info-stealing trojans, a remote backdoor, crypto-stealer, and a crypto-miner.
In brief, the attack begins with the ‘Legion Loader’ – the malware dropper written in MS Visual C++ 8 exhibits numerous VM/Sandbox and other features to stay under the radar from researchers. Yet, it lacks string obfuscation.
The six Hornet’s Nest malware elements analysis:
- Vidar – Targets all sorts of personal information, including data stored in Two-Factor Authentication (2FA) software.
- Predator the Thief – Steals data and can capture images using the victim’s webcam.
- Racoon Stealer – Bypass Microsoft and Symantec anti-spam messaging gateways.
- Crypto Stealer – A PowerShell-based cryptocurrency stealer which allows the attacker to steal from a victim’s bitcoin wallet.
- Crypto Miner –Exploits the victim’s computer and its processing power to help mine cryptocurrency over a longer period.
- RDP Backdoor – Provides the attacker entry into the victim’s compromised machine. This allows the attacker to execute additional attacks in the future.
The Hornet’s Nest campaign isn’t exactly the most sophisticated one, but, considering all types of data that could be compromised by hackers, a multi-pronged attack of this kind can cause an awful nightmare for the security team of organizations, researchers noted.
Whilst the origin of the attack has not been officially located, the analysis of Legion Loader links to Russia.
In recent similar stories, Fortinet also shared details of a malware campaign targeting Windows systems with two RATs at a time.
Join SecureBug, Nordic’s No.1 Bug & Threat bounty Crowdsourced Security platform