Security researchers have disclosed a complex and powerful malware loader named Verblecon. Even though the malware loader is advanced, it has been only used in low-profile attacks so far.
What has happened?
Researchers from Symantec discovered the Verblecon loader in January 2022 and it was found installing cryptocurrency miners on targeted systems.
In addition to cryptojacking, the attacker seems to be interested in stealing access tokens for Discord.
Possibly the attackers are using the stolen tokens for advertising trojanized video game software.
Further, the malware loader has been only used to target non-enterprise machines.
Used in ransomware attacks
There are reports that connect a Verblecon domain to a ransomware attack as well. However, the researchers believe that this overlap is because of the sharing of infrastructure with an unrelated actor.
Technical details
The malware loader is Java-based and its polymorphic nature of code makes it less detectable via traditional security solutions.
The analyzed samples were fully obfuscated, in the code flow, strings, and symbols.
It performs several checks to find out if it’s running in a virtual environment and being debugged. It fetches the list of running processes that is checked against a predefined catalog that includes files (executables, dependencies, drivers) related to VM systems.
If all the checks pass, the malware copies itself to a local directory and creates files to use as a loading point. Further, the loader periodically attempts to connect to certain domains.
After the initial stage of communication with the C2, the payload gets delivered, which is obfuscated just like the other samples and uses similar techniques to detect the virtual environment.
Conclusion
Verblecon is currently used by an actor who is mostly testing it. However, the potential of this loader is concerning and maybe we would see more of its attacks in the near future. Organizations are recommended to use up-to-date and reliable anti-malware.