Cybersecurity experts have detected a new highly evasive loader, called in2al5d p3in4er (read: invalid printer), which is being used to spread Aurora info-stealer. It targets endpoint workstations utilizing advanced anti-VM and anti-analysis methods to avoid detection.

About in2al5d p3in4er

Morphisec has provided details regarding the inner workings of in2al5d p3in4er, compiled using Embarcadero RAD Studio.
  • The attackers are employing social engineering techniques to use YouTube as a distribution channel and direct viewers to fake websites promoted via SEO poisoning to spread the stealer.
  • The loader targets only selected brands of graphics cards. Upon infection, it queries the vendor ID of the graphics card of the compromised system and compares it with a set of whitelisted vendor IDs (NVIDIA, AMD, and Intel). The loader terminates if the value doesn't match.
  • The loader decrypts the final payload and inserts it inside a genuine process using process hollowing. Some samples allocate memory for writing decrypted payload to insert it from there.

Evasion tactics

The use of Embarcadero RAD Studio allows attackers to create executables for multiple platforms, with multiple configuration options. 
  • These samples are tested on VirusTotal, and the ones with the lowest detection rates are compiled using Embarcadero’s compiler (BCC64[.]exe), ensuring security evasion.
  • This compiler uses separate code bases from the default compilers (Runtime Library and Standard Library) and creates optimized code that changes the execution flow and entry point of the loader. 
  • This breaks security vendors' indicators, such as signatures collected from the malicious code block, and makes analysis using malware diagnosis tools challenging.

Conclusion

The attackers behind the in2al5d p3in4er loader are using widely accessible social engineering tools, along with multiple evasion tactics to bypass basic security checks. Thus, it is important to provide training to employees on how to spot social engineering campaigns. Furthermore, use firewalls and endpoint-security solutions to ensure that only genuine URLs are entertained inside enterprise networks.
Cyware Publisher

Publisher

Cyware