ESET research team, during the analysis of cyber attack aiming for Middle East targets, detected a technically interesting downloader.

The malware uses a number of contradictory techniques, one of them standing out: the insertion of a local port monitor system registered as “Default Print Monitor”. Due to this technique, ESET researches have named the downloader DePriMon, and, considering its complexity and modular architecture, it is regarded as a malware framework. According to ESET’s telemetry, DePriMon malware is active at least since March 2017. It was firstly discovered in a private company in Central Europe and in dozens of computers in Middle East. In certain occasions, DePriMon was detected along with the ColoredLambert malware, which is used by the cyber espionage team Lamberts (also known as Longhorn) and is connected with the Vault 7 leak. The researchers also believe that DePriMon is a greatly advanced downloader, as well as that its creators have made a lot of effort in order to develop it and compose it considerable functions. Therefore, it is worthwhile to pay attention to further elements apart from the malware’s targets’ limited regional distribution and its probable relation with notorious cyber espionage teams.

DePriMon is installed in the memory and executed directly from there as a DLL file using the DLL side-loading technique. It is never stored on disk. It has a surprisingly extensive configuration file with several interesting elements, its encryption implemented and protects the C&C communication effectively. As a result, DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, as well as to collect some basic information about the system and its user along the way.

In order to help users remain secure from this threat, the ESE research team have thoroughly analyzed the recently discovered malware, focusing on its installation technique, which is registered in MITRE ATT&CK knowledge base under the name “Port Monitors”, in “Persistence” and “Privilege Escalation” technique categories. As there have not been registered any existing incident of this technique in MITRE ATT&CK knowledge base, the researchers consider DePriMon to be the first example using the “Port Monitors” technique described publicly.

Chris Poultsidis
Larissa Team