Verblecon Malware Loader Used in Stealthy Crypto Mining Attacks
Security researchers are warning of a relatively new malware loader, that they track as Verblecon, which is sufficiently complex and powerful for rannsomware and erespionage attacks, although it is currently used for low-reward attacks.
Verblecon was spotted earlier this year and the known samples enjoy a low detection rate due to the polymorphic nature of the code.
Flying under the radar
Researchers from Symantec, a division of Broadcom Software, discovered Verblecon in January this year and observed it being used in attacks that installed cryptocurrency miners on compromised machines.
Some clues also point to the attacker being interested in stealing access tokens for the Discord chat app, the researchers say, adding that these goals are in contrast with Verblecon’s realistic potential for far more damaging attacks.
The malware is Java-based and its polymorphic nature is what allows it to slip into compromised systems, in many cases undetected.
“The fact that the file is polymorphic means that, due to encryption and obfuscation, the code of the malware payload looks different each time it is downloaded. Attackers generally pack malware in this way in an effort to evade detection by security software” – Symantec, a division of Broadcom Software
A look at five Verblecon samples that the researchers analyzed shows that many of the antivirus engines on VirusTotal do not flag them as malicious.
The oldest sample, for instance, was added to the database on October 16, 2021 – prior to its discovery by Symantec, and is currently detected by nine out of 56 antivirus engines.
Newer Verblecon payloads, though, from late January 2022, are almost completely missed by the antivirus engines on VirusTotal.
Checking for analysis environment
Symantec published a technical breakdown of the malware and its functions, noting that the analyzed samples “were fully obfuscated, in the code flow, strings, and symbols,” and that they may be based on code that is publicly available.
Their analysis shows that the malware performs some checks, to determine if it’s running in a virtual environment if it is being debugged.
Next, it fetches the list of running processes that is checked against a predefined catalogue that includes files (executables, dependencies, drivers) related to virtual machine systems.
If all the checks pass, the malware copies itself to a local directory (%ProgramData%, %LOCALAPPDATA%, Users) and creates files to use as a loading point.
According to Symantec’s research, Verblecon periodically tries to connect to one of the domains below, using a domain generation algorithm (DGA) for a more extensive list:
The DGA used is based on the current time and date and includes the string “verble” as a suffix, which is where the malware name comes from.
In the technical report published today, Symantec researchers note that the payload delivered after the initial stage communication with the command and control servers (C2) “is obfuscated in a similar way to the other samples, and also contains similar techniques to detect the virtualization environment.”
According to the analysis, the main function of the payload is to download and execute a binary (.BIN file) that is then decrypted on the infected host and injected into into %Windows%\SysWow64\dllhost.exe for execution.
The researchers say that the end goal of whoever is behind Verblecon deployments is to install cryptocurrency mining software, which is not in tune with the effort required to develop malware of such sophistication.
Additionally, the researchers suspect that the threat actor may also be using it to steal Discord tokens to use them for advertising trojanized video game software.
As per their observations, Verblecon targets non-enterprise machines, which are rarely in the scope of more sophisticated threat actors because of their low profitability.
Symantec says that they are aware of other reports that connected a Verblecon domain to a ransomware attack but they believe this overlap is due to sharing of the infrastructure with an unrelated actor.
The evidence with that incident are inconclusive, though, and similarities are limited to the following:
- the use of “verble” in the domain name
- the downloading of shellcode for execution
- similar obfuscation
The researchers believe that Verblecon is currently used by an actor that does not recognize the full damaging potential of this malware loader
They believe that if more sophisticated cybercriminals get their hands on it they could use it for ransomware and even espionage attacks.
Update [March 29, 09:54 EST]: Article corrected to show that Symantec discovered Verblecon in January 2022, not January 2021, a mistake that appeared in the original research.